Edit tour

Windows Analysis Report
RlZ57mJ5Ug.exe

Overview

General Information

Sample name:	RlZ57mJ5Ug.exe renamed because original name is a hash value
Original sample name:	2708091ac73983d30f58e73c7681d035.exe
Analysis ID:	1532855
MD5:	2708091ac73983d30f58e73c7681d035
SHA1:	80637b1cc318a9795f6edc1e541a1e2cb8ee2a90
SHA256:	df2b9bc2925339734c17d5ac782c4e3829f1c8136d428462af477acca2517584
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops PE files to the user root directory

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to detect virtual machines (SLDT)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RlZ57mJ5Ug.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\RlZ57mJ5Ug.exe" MD5: 2708091AC73983D30F58E73C7681D035)

schtasks.exe (PID: 6640 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6784 cmdline: schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 2656 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3724 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 892 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7108 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6548 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1220 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5604 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6844 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 940 cmdline: schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1476 cmdline: schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6600 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5428 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5880 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4164 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3176 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 528 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4332 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7124 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 652 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3668 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4084 cmdline: schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6848 cmdline: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3816 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4268 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6348 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 3364 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 5604 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7164 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 12 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1848 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 4308 cmdline: schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

dllhost.exe (PID: 6408 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

fontdrvhost.exe (PID: 3332 cmdline: C:\Recovery\fontdrvhost.exe MD5: 2708091AC73983D30F58E73C7681D035)

fontdrvhost.exe (PID: 4712 cmdline: C:\Recovery\fontdrvhost.exe MD5: 2708091AC73983D30F58E73C7681D035)

ctfmon.exe (PID: 6496 cmdline: "C:\Program Files (x86)\common files\ctfmon.exe" MD5: 2708091AC73983D30F58E73C7681D035)

ctfmon.exe (PID: 6784 cmdline: "C:\Program Files (x86)\common files\ctfmon.exe" MD5: 2708091AC73983D30F58E73C7681D035)

lcSuFJtLNWPBXChyfo.exe (PID: 3348 cmdline: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe MD5: 2708091AC73983D30F58E73C7681D035)

lcSuFJtLNWPBXChyfo.exe (PID: 764 cmdline: "C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe" MD5: 2708091AC73983D30F58E73C7681D035)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"H\":\"^\",\"6\":\"&\",\"n\":\"_\",\"F\":\"#\",\"S\":\"$\",\"d\":\"-\",\"P\":\"~\",\"I\":\"<\",\"L\":\".\",\"3\":\"|\",\"A\":\")\",\"M\":\"`\",\"0\":\"*\",\"i\":\";\",\"E\":\"%\",\"5\":\"@\",\"4\":\">\",\"J\":\"(\",\"C\":\",\",\"Q\":\" \",\"B\":\"!\"}", "PCRT": "{\"I\":\"@\",\"D\":\"|\",\"6\":\"(\",\"M\":\"`\",\"=\":\"$\",\"w\":\"^\",\"b\":\"~\",\"X\":\"!\",\"S\":\",\",\"i\":\"*\",\"Q\":\"-\",\"j\":\">\",\"p\":\";\",\"c\":\")\",\"l\":\"%\",\"x\":\"<\",\"y\":\"_\",\"e\":\" \",\"f\":\".\",\"0\":\"#\"}", "TAG": "", "MUTEX": "DCR_MUTEX-75B4g43YVx6naNfWLoi6", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000001E.00000002.2161409046.000000000287A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.2162507058.00000000022E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000009.00000002.2161298870.00000000031D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001B.00000002.2161568814.0000000002618000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.2077905139.0000000003181000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000009.00000002.2161298870.0000000003191000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001B.00000002.2161568814.00000000025D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001D.00000002.2162507058.00000000022A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000006.00000002.2161833890.0000000002541000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001E.00000002.2161409046.0000000002831000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000021.00000002.2161212488.0000000002981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: RlZ57mJ5Ug.exe PID: 2884	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 3332	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fontdrvhost.exe PID: 4712	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ctfmon.exe PID: 6496	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: ctfmon.exe PID: 6784	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 3348	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 764	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\RlZ57mJ5Ug.exe, ProcessId: 2884, TargetFilename: C:\Recovery\fontdrvhost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RlZ57mJ5Ug.exe, ProcessId: 2884, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lcSuFJtLNWPBXChyfo

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\fontdrvhost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RlZ57mJ5Ug.exe, ProcessId: 2884, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\fontdrvhost.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\RlZ57mJ5Ug.exe, ProcessId: 2884, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f, CommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RlZ57mJ5Ug.exe", ParentImage: C:\Users\user\Desktop\RlZ57mJ5Ug.exe, ParentProcessId: 2884, ParentProcessName: RlZ57mJ5Ug.exe, ProcessCommandLine: schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f, ProcessId: 3668, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DCRAT Activity (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-14T01:57:01.248593+0200	2034194	1	A Network Trojan was detected	192.168.2.5	49704	141.8.192.169	80	TCP
2024-10-14T01:57:21.964174+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56369	141.8.192.169	80	TCP
2024-10-14T01:57:26.710004+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56398	141.8.192.169	80	TCP
2024-10-14T01:57:38.645591+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56474	141.8.192.169	80	TCP
2024-10-14T01:57:41.943581+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56496	141.8.192.169	80	TCP
2024-10-14T01:57:51.407580+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56551	141.8.192.169	80	TCP
2024-10-14T01:58:06.455264+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56594	141.8.192.169	80	TCP
2024-10-14T01:58:15.999683+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56595	141.8.192.169	80	TCP
2024-10-14T01:58:28.190524+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56596	141.8.192.169	80	TCP
2024-10-14T01:58:40.144339+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56597	141.8.192.169	80	TCP
2024-10-14T01:58:47.009650+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56598	141.8.192.169	80	TCP
2024-10-14T01:58:55.765504+0200	2034194	1	A Network Trojan was detected	192.168.2.5	56599	141.8.192.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RlZ57mJ5Ug.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\apppatch\en-US\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000000.00000002.2077905139.0000000003181000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"H\":\"^\",\"6\":\"&\",\"n\":\"_\",\"F\":\"#\",\"S\":\"$\",\"d\":\"-\",\"P\":\"~\",\"I\":\"<\",\"L\":\".\",\"3\":\"|\",\"A\":\")\",\"M\":\"`\",\"0\":\"*\",\"i\":\";\",\"E\":\"%\",\"5\":\"@\",\"4\":\">\",\"J\":\"(\",\"C\":\",\",\"Q\":\" \",\"B\":\"!\"}", "PCRT": "{\"I\":\"@\",\"D\":\"|\",\"6\":\"(\",\"M\":\"`\",\"=\":\"$\",\"w\":\"^\",\"b\":\"~\",\"X\":\"!\",\"S\":\",\",\"i\":\"*\",\"Q\":\"-\",\"j\":\">\",\"p\":\";\",\"c\":\")\",\"l\":\"%\",\"x\":\"<\",\"y\":\"_\",\"e\":\" \",\"f\":\".\",\"0\":\"#\"}", "TAG": "", "MUTEX": "DCR_MUTEX-75B4g43YVx6naNfWLoi6", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Common Files\ctfmon.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	ReversingLabs: Detection: 78%
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\fontdrvhost.exe	ReversingLabs: Detection: 78%
Source: C:\Recovery\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Default\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\apppatch\en-US\RuntimeBroker.exe	ReversingLabs: Detection: 78%
Source: C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe	ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: RlZ57mJ5Ug.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Recovery\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Windows\apppatch\en-US\RuntimeBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: RlZ57mJ5Ug.exe

Joe Sandbox ML: detected

Source: RlZ57mJ5Ug.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Windows Multimedia Platform\93b40338b961c8	Jump to behavior

Source: RlZ57mJ5Ug.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:49704 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56369 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56398 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56474 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56496 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56551 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56595 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56594 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56596 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56598 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56599 -> 141.8.192.169:80
Source: Network traffic	Suricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.5:56597 -> 141.8.192.169:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: a1040171.xsph.ru

Source: RlZ57mJ5Ug.exe, 00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\Microsoft.NET\assembly\93b40338b961c8	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\apppatch\en-US\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\apppatch\en-US\RuntimeBroker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\apppatch\en-US\9e8d7a4ca61bd9	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\security\database\93b40338b961c8	Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4B2CA	0_2_00007FF848F4B2CA
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F43440	0_2_00007FF848F43440
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4B3ED	0_2_00007FF848F4B3ED
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4CE00	0_2_00007FF848F4CE00
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4CE10	0_2_00007FF848F4CE10
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F43580	0_2_00007FF848F43580
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4B1FD	0_2_00007FF848F4B1FD
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4CE08	0_2_00007FF848F4CE08
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4CE18	0_2_00007FF848F4CE18
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F4A380	0_2_00007FF848F4A380
Source: C:\Recovery\fontdrvhost.exe	Code function: 6_2_00007FF848F33655	6_2_00007FF848F33655
Source: C:\Recovery\fontdrvhost.exe	Code function: 9_2_00007FF848F43655	9_2_00007FF848F43655
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Code function: 27_2_00007FF848F23655	27_2_00007FF848F23655
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Code function: 29_2_00007FF848F13655	29_2_00007FF848F13655
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Code function: 29_2_00007FF848F1CD09	29_2_00007FF848F1CD09
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Code function: 30_2_00007FF848F33655	30_2_00007FF848F33655
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Code function: 33_2_00007FF848F23655	33_2_00007FF848F23655

Source: RlZ57mJ5Ug.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dllhost.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lcSuFJtLNWPBXChyfo.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lcSuFJtLNWPBXChyfo.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: RlZ57mJ5Ug.exe, 00000000.00000000.2020274940.0000000000E62000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs RlZ57mJ5Ug.exe
Source: RlZ57mJ5Ug.exe, 00000000.00000002.2085252726.000000001C692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs RlZ57mJ5Ug.exe
Source: RlZ57mJ5Ug.exe, 00000000.00000002.2085177827.000000001C648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs RlZ57mJ5Ug.exe
Source: RlZ57mJ5Ug.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs RlZ57mJ5Ug.exe

Source: RlZ57mJ5Ug.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: RlZ57mJ5Ug.exe, zEBfMopSea6dNuQAYKK.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RlZ57mJ5Ug.exe, zEBfMopSea6dNuQAYKK.cs	Cryptographic APIs: 'CreateDecryptor'
Source: RlZ57mJ5Ug.exe, RZkAuiPoubQ74vUQ0T7.cs	Cryptographic APIs: 'TransformBlock'
Source: RlZ57mJ5Ug.exe, RZkAuiPoubQ74vUQ0T7.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: RlZ57mJ5Ug.exe, 00000000.00000002.2076480083.0000000001296000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBP

Source: classification engine

Classification label: mal100.troj.evad.winEXE@40/39@1/0

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File created: C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File created: C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe

Jump to behavior

Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\1f66269959fc73416676c915de9c98f493db0b2b

Source: RlZ57mJ5Ug.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RlZ57mJ5Ug.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RlZ57mJ5Ug.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File read: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RlZ57mJ5Ug.exe "C:\Users\user\Desktop\RlZ57mJ5Ug.exe"
Source: unknown	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\fontdrvhost.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /f
Source: unknown	Process created: C:\Recovery\fontdrvhost.exe C:\Recovery\fontdrvhost.exe
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\fontdrvhost.exe C:\Recovery\fontdrvhost.exe
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Common Files\ctfmon.exe "C:\Program Files (x86)\common files\ctfmon.exe"
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files (x86)\Common Files\ctfmon.exe "C:\Program Files (x86)\common files\ctfmon.exe"
Source: unknown	Process created: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe "C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe"
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 12 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: mscoree.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: wldp.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Directory created: C:\Program Files\Windows Multimedia Platform\93b40338b961c8	Jump to behavior

Source: RlZ57mJ5Ug.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RlZ57mJ5Ug.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: RlZ57mJ5Ug.exe, zEBfMopSea6dNuQAYKK.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: RlZ57mJ5Ug.exe, U8Orj19C8FuDOVauxp5.cs	.Net Code: DlkDK22Xah System.AppDomain.Load(byte[])
Source: RlZ57mJ5Ug.exe, U8Orj19C8FuDOVauxp5.cs	.Net Code: DlkDK22Xah System.Reflection.Assembly.Load(byte[])
Source: RlZ57mJ5Ug.exe, U8Orj19C8FuDOVauxp5.cs	.Net Code: DlkDK22Xah

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Code function: 0_2_00007FF848F48CEF push es; iretd	0_2_00007FF848F48CF2
Source: C:\Recovery\fontdrvhost.exe	Code function: 6_2_00007FF848F38CEF push es; iretd	6_2_00007FF848F38CF2
Source: C:\Recovery\fontdrvhost.exe	Code function: 9_2_00007FF848F48CEF push es; iretd	9_2_00007FF848F48CF2
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Code function: 27_2_00007FF848F28CEF push es; iretd	27_2_00007FF848F28CF2
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Code function: 29_2_00007FF848F18CEF push es; iretd	29_2_00007FF848F18CF2
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Code function: 30_2_00007FF848F38CEF push es; iretd	30_2_00007FF848F38CF2
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Code function: 33_2_00007FF848F28CEF push es; iretd	33_2_00007FF848F28CF2

Source: RlZ57mJ5Ug.exe, UmtUYPldhdVPF6PXIQk.cs	High entropy of concatenated method names: 'E7Mlu6e5WQ', 'al1b0msuukcSk8Biduj', 'SY7DuLsVS9UnKdUDYDX', 'zPWKPLsbmoTe4DTLO4O', 'qYBa5ys9pl0Gqkjj5do', 'zTQ8JxsqFsU2gknWEba', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: RlZ57mJ5Ug.exe, VlE9IW9ga441sI8V49b.cs	High entropy of concatenated method names: 'yFUPB3hkrJ', 'Y9jPC7Appa', 'EVCJUjYZXh3FGub4w3A', 'RyQY0AYtUTwOlPa6vO4', 'OV9MyAYhHgylot7mvli', 'lDm85gYA8Y5QZYRqsGt', 'aWtPxFXstV', 'YZJZhfHk0dRKy0Mot6d', 'TmZ2KVHr853lERn7pHL', 'FmOiimYURHWdxahHvyk'
Source: RlZ57mJ5Ug.exe, xxOGQFm0IFJjRDABQms.cs	High entropy of concatenated method names: 'IJ3nxTPmg5', 'kae6bYVH07a2L9GYUqR', 'BYQ56OV5nYHxCGMthVQ', 'U1S1TpVfpxDDKmV8W26', 'D4akPSVYQX2WmWwOs2B', 'YYKVcU8lYh', 'FARV7IwT43', 'PTlVfE6rKY', 'n5AVJsuelW', 'gggVdt2trW'
Source: RlZ57mJ5Ug.exe, bm8olJ0aVWwqNcvdTKg.cs	High entropy of concatenated method names: 'dLtQTayG3A', 'Yu2Q1N9VJU', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'xk7Q6X3XOf', '_5f9', 'A6Y'
Source: RlZ57mJ5Ug.exe, GkCAY2lX7hWW5Jvq2kj.cs	High entropy of concatenated method names: 'ChR9Mqp4KB', 'Flu9nfX9SI', 'HmnnL2OKkFkhkH7SOb2', 'rH0G63OsvbRObGMqDod', 'Flgb9aOOgxbxI2LqZb9', 'rl9HPZOgWi21ha7h380', 'YexmfEOiJjqjSY74d0T', 'nTMjOTOMw1m33ZexrTM', 'XUYo02OSuwkH6TjBnV6', 'sPyax2OIeFvLiI9dbre'
Source: RlZ57mJ5Ug.exe, NCRS4LPIBnfdPMmVAKy.cs	High entropy of concatenated method names: 'dFx6sU7c28', '_1kO', '_9v4', '_294', 'rnU6biZtdf', 'euj', 'KkG6O0jeb7', 'WK06QirgX2', 'o87', 'GPd6NpXiQK'
Source: RlZ57mJ5Ug.exe, yZ7ICl9oO1bMVVfCnQo.cs	High entropy of concatenated method names: 'kHX9QvkFpU', 'zEH9NHEEnF', 'epP9qT9TR7', 'GrX8wxKJ4GI5PnBmHqS', 's8BpylKxjfCsL2EmxnM', 'NWp2i0KGIkby2XmwKD3', 'YXfSWeK4eihnOYsmbud', 'lecdxhKo2ZFMIwhgKuI', 'pktTM1KCAxc40OsQ3DA', 'JkmAmcKnjMjvGWMSSTy'
Source: RlZ57mJ5Ug.exe, XAGFcHmyP9qYuMiAnhm.cs	High entropy of concatenated method names: '_7zt', 'lZweGCar6c', 'auneAJdFv4', 'WEse3NwcjN', 'USIetfwB9B', 'wkPesbnGdX', 'A8AebqInu6', 'QcliSWqb3kCiZKiCmB2', 'sR5kQsq9YxVpah5s2mx', 'GadTdPqL11mUPmG8GO3'
Source: RlZ57mJ5Ug.exe, MRxsOylGOVv25K9nVWp.cs	High entropy of concatenated method names: 'WZol6M431D', 'w2wpJ8NYFi7fVHuGLUJ', 'Q5SitvNHbinjuPfPQnA', 'UJFcL4NIwXpmL3obZMx', 'EAINUTNfSbHVxJEf7SJ', 'WeexDlN57NFo1y23sL6', 'a25TCLNP25g2ZY6ptmM', 'xVrO6ANLA44NOPDK7Lq', 'R9aK8bNyocIP5pxGKUi', 'f28'
Source: RlZ57mJ5Ug.exe, xWugiLDKy0jkXNbgU3R.cs	High entropy of concatenated method names: 'ekdBRpQJAY', 'sToBiXSodq', 'S5EBF4GLHN', 'JjaBXZ01nf', 'tC6GdFLxXlgpJvvUV3M', 'QVCr7cLGmQmExJ6Y9Tb', 'bwG3vXL4BmSrq48ynEo', 'HFULY2LlxP8wUXccETn', 'QS1TXOLJLAmrw00dGBp', 'cD35LGLo23kcUqHAeEZ'
Source: RlZ57mJ5Ug.exe, o5XkUf99SFFZIjIm5Tf.cs	High entropy of concatenated method names: 'v549Y4kOwl', 'bMj9rRxsOy', 'wVv9I25K9n', 'iWp94aTi8c', 'MuX9WTTOGV', 'eyP9uiWHS6', 'TKEh10gYj7onLwdMrAx', 'O2IHxIgHtxER60cbsNy', 'gxAahpgI29gsrG5QTvO', 'Opp4nJgfZs9wLMrtZIY'
Source: RlZ57mJ5Ug.exe, bUIjww0cGifHRrnlBMO.cs	High entropy of concatenated method names: 'xwrOYabMrP', 'o3yOrSCA5Q', 'p1BOIqGpR1', 'UYHvsoo2176A2idVkM1', 'M1GjKAoCiiQm8VJVDSk', 'VDfnO2o0M7E9lR7AUsV', 'YS52uBovD2oLtslSmbj', 'PFKujXoD0wpK36YIvqM', 'AUJHXCowCPGpbpCGY50', 'sKwBKboR8TpG1Iq6hYW'
Source: RlZ57mJ5Ug.exe, h9sEEfXYxGCRC9QCIf.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ES3C9fQwi0LmJjdUd5V', 'mLAybRQRDwUTIFqkf5Q', 'otT4eBQeDnyvwishKAk', 'u0fMwjQTw1nVW210GaM', 'ifP8EaQah2ovhDyqi17', 'rWrZFoQdp78I7w9nU2Z'
Source: RlZ57mJ5Ug.exe, bS3sfLllVaL4nDFc0ru.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'ICWTUpm5tH4qmiM108u', 'MyN3HlmPXWxPp1ZGrnf', 'lA9ughmLbgQonHJoqEp', 'BZKtQAmyTMQQKQm5sJd', 'dRnijSmbw5qXZEhDXYx', 'mxL9gMm9TDcsqOZS0X4'
Source: RlZ57mJ5Ug.exe, VFg9j591ApTYWhkyGpT.cs	High entropy of concatenated method names: 'mT4mhD80ck', 'xnJmaKVi07', 'Uc4mzAfKx6', 'rpF0o5fnOb', 'ur90l8Egkd', 'sas09NjiLv', 'fY90D3MwoU', 'qTc0mJZk2t', 'Nji00Daa2b', 'Tlj9RVIZRqLx7gOy2CG'
Source: RlZ57mJ5Ug.exe, lccF4SD4w5v8Tm6QJp5.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'jHCVMeh1S3', 'El9Io5hvcF', 'AIlVnkX0wb', 'R5UIvCaTnQ', 'kW2BnB9CQkhZ7YKpjGH', 'sLXeKi90Z1QboXtDVQ5', 'TmrRwK94lS8snH0p4aH'
Source: RlZ57mJ5Ug.exe, nlWtFX9astVQqeinywU.cs	High entropy of concatenated method names: 'JQrpQvZj7w', 'JPEmGEH8oHjUhpSBHRO', 'ctOZe8HaRlCUDaIHl5S', 'DxQyXiHd8HZQXGxp2HD', 'fnmGvKHcpSMBbeyAOV8', 'PbIhErHh1qyA5yuy56i', 'rcIpyO1mqg', 'BUypGMLMYj', 'eQcpAOS6xT', 'DqUp3yc5hi'
Source: RlZ57mJ5Ug.exe, P4jOIu9xWfpuZxJa9aY.cs	High entropy of concatenated method names: 'g7bDhWUh1K', 'BimDarvUCJ', 'urwxDDM59SdbJNJu1sw', 'qgUvm0MP4WBUjBWGMUs', 'dPAPb8ML5oyL4QQEWQI', 'aXQI6MMyJRNrImnvIdJ', 'r6HaLYMb8o3W74XRt2b', 'ffJCrEM9IkfEkfDQZ93', 'LeTsAZMuyj3msihKsE7', 'WX9S1KMV3v5wyTQwS7k'
Source: RlZ57mJ5Ug.exe, p7HlHpP1banwvrgXWfD.cs	High entropy of concatenated method names: 'twBqCoIO8l', 'moAqVr7nIB', 'WBNqMCjXZw', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'VDhqnbh02w'
Source: RlZ57mJ5Ug.exe, ByqqHplQQ8IPHVuEnoD.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'jAyWRiNTf3Y9RdGO8tF', 'C3PgXCNadkAkZcwJ67Y', 'iFRf40NdOO7mwG6Ivgm', 'uKVbH5N8mFtu09S770A', 'XKxaHYNc3IRWipXyvQa', 'bg9X1ANhNr73uKGDlsm'
Source: RlZ57mJ5Ug.exe, qKL1aVlcqstA350Nb1H.cs	High entropy of concatenated method names: 'AJklFGo121', 'g3LRjms6NvurRM2KqrM', 'mmDCAwsBky27Mevrmas', 'njW4qGskikTqwLJKAym', 'MPIl06srJXbLKh4tdW9', 'hSYYv7sQqcXy2v25gJq', 'ajwkm5sXRwLmwQvafCG', 'cT7HhIsmto8nqJRBlIG', 'FJflYdVNby', 'bRHXpDsFh9oqEKXdTVw'
Source: RlZ57mJ5Ug.exe, ltBuerDuwAl9wNFYvZG.cs	High entropy of concatenated method names: '_269', '_5E7', 'fv1IcKKAXy', 'Mz8', 'Ls4I7KmXrn', 'Vt9hwp9cnFgI8Q8mjDA', 'aSH67T9hpZ7fM7OX3lf', 'pfg7Zx9A03EHMvEJSpL', 'IlQmsF9Z6tEgr24syOq', 'hiyZoq9tlNeWEX4tBiN'
Source: RlZ57mJ5Ug.exe, rxLIpD0kAMwqDMiEbfx.cs	High entropy of concatenated method names: 'usyQm6N3tn', 'n1jQ0e4WCG', 'vnMQP2P7Th', 'X7BQpydaNZ', 'fexQBq5WfS', 'lPxQCEq5JB', 'SnwQV7wRDy', 'vYfQMrJrkH', 'Fw6QnjZjui', 'CtvQeQlPC3'
Source: RlZ57mJ5Ug.exe, JdvZj8m3gJYiPvvRQ2D.cs	High entropy of concatenated method names: 'A87eJJysf5', 'yHdedWmY9g', 'KoQeHevbFZ', 'FGMeEqfrIW', 'iyiewGeXtp', 'PRYOoPqGqA1p4Gd5lFt', 'PDut3pq4L1lPG3CHOuy', 'JL3E0nqJddnhE17gRAn', 'nTNfjrqx0IOfnsLhyYf', 'xIm8hfqoprnABlCUP5v'
Source: RlZ57mJ5Ug.exe, oEpt6OPJ1PFUJ22lnXb.cs	High entropy of concatenated method names: 'LMe0qwwQlKSPpNeQgVU', 'CmcT69wXjsSBFJT4f4m', 'NAx9YBw6pXf68q5UsoK', 'nrP399wB6vCpOjY3B24', 'LTRqdLiBU6', 'WM4', '_499', 'nP7qHsNTR8', 'JcxqEKLiD3', 'z4rqwAiykZ'
Source: RlZ57mJ5Ug.exe, GyOmB2TlOH3mPnqYL1.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'qESSiZ6OAYFOirsCj1G', 'ibjeeg6KYchV8tq5KdB', 'EItjtH6gGRnL3BywJup', 'I9pR4n6imiEV4BnBN15', 'vGreuM6MQprf8IC2vdA', 'G4fxJs6SyCkJvF7ZIaC'
Source: RlZ57mJ5Ug.exe, dSdLdv0dIBo996ys5xc.cs	High entropy of concatenated method names: 'nZEQoDNa9O', 'Gq8dRZoE1ihV678Kuul', 'PKLOvdoZscGGpyVGLJq', 'Gn51cuotEnfCklVjfhS', 'jrqZwqo341bhuexKTmf', 'GPAlRkoU3BXDqXp8ARo', 'mschUBozgNu0XRrMfC9'
Source: RlZ57mJ5Ug.exe, XUaEbSlCmDCsssxWCuA.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'w4OGAgjjsYK5xm9xKgK', 'bGB2VujNqMCiMhuHgAg', 'dFHbsHjFEslhkPJgZHs', 'm7QGEPjsvcXDBiYp6x3', 'XQXtpdjO3jx7Sm8H2pb', 'tv9cixjKQRkfwCVdxX8'
Source: RlZ57mJ5Ug.exe, a16LN0me4tlIMD25Yf0.cs	High entropy of concatenated method names: 'xhgnHjA03i', 'DT1nEvrLbh', 'f9mnw8olJV', 'TwqnUNcvdT', 'ngrngUgFXx', 'XmuRXlVURnVfPgEw8FE', 'eTOB3YVzNxYYJu0oUeR', 'OnR1HAVExAJeZJbyZSd', 'VwasPoV344vcZctjJma', 'A3hxXNqkvCPMHrxqUb2'
Source: RlZ57mJ5Ug.exe, YgdtFkPQCseYEAPX9jl.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: RlZ57mJ5Ug.exe, djhRIE9wuR9iUfBux2d.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'v4d0d7mSH7', 'HxT0HUmjhR', 'REu0ER9iUf', 'hux0w2dti6', 'X0x0UiFtrI', 'jjUJ3LYFkkJNNsXeLfH', 'CAZJMrYswTPK3oohGMu', 'oydHYbYjdiOnMRLlman'
Source: RlZ57mJ5Ug.exe, JhvgBuDeGp8NW7ngQ1Z.cs	High entropy of concatenated method names: '_223', 'lQlDNoLYTIPkKqbkmIV', 'mpP3PTLHEcJh0qqTwnm', 'KFdw7SL5IjnM36kZUsX', 'mjUHXOLPZXom5r9vi0i', 'z4XJNmLLEGgifMk9BhD', 'ogef1jLyDC1IAkYDZev', 'fFlhfHLbOefuuIdSUry', 'vtXMDjL9gpYoDCHv9Gn', 'w51jqLLuoCEKLZyhyf9'
Source: RlZ57mJ5Ug.exe, JrpEiSDGWQulXsIMCrk.cs	High entropy of concatenated method names: 'QxjCvqWYUd', 'nZjC28gJYi', 'fvvCxRQ2DW', 'kjp9jPywcPNuxgC3T4V', 'kl2xS1yvPAIjZt6RRBx', 'XKdYuZyDeMvsTcZwWRC', 'Vdx79yyRLT6POHGALK9', 'Vi3CPDKf37', 'R4uCpyyqkO', 'OWRCBBtIdC'
Source: RlZ57mJ5Ug.exe, V2dg8oleTEoRmpjph1A.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'QFUI3wj1HYkG0MPdIqy', 'Uqgy5Nj7ihpKT1Crtwb', 'm0hPWGjWPaFaL9Lslv6', 'iohYaRjpBPr3Pld71oD', 'LEokEyjnsOqeaoYHDkE', 'tGNvmejlyqjsit11H5E'
Source: RlZ57mJ5Ug.exe, qkX4ZVNDZGJ7D3pNkj.cs	High entropy of concatenated method names: 'eNtdT0vlk', 'dR6H6lHf7', 'h7yEDnutM', 'g8qOIWrCtFdTS8olVh5', 'QKC4Qvr4OTdEooDjwZa', 'YBA7nXroBrmBTx9B9CZ', 'xKWv4or0DQRkOfyOCBR', 'd8xTSSr2gLR5gcR4NK6', 'QMDF5xrvYBkx0AxVqT5', 'i3c1dArDYcFbN7asLrt'
Source: RlZ57mJ5Ug.exe, U0wTyEZYp5Xx0Ylrhf.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'xjh2lKXRRxygj75GgI9', 'wSKY4ZXe9qMdFXrUPLE', 'ICy4R7XTmU6C1IAFdDy', 'rsXs8BXalpRSp5BURpo', 'JSP9g1XdCtlIM048fZJ', 'PWkXcLX8PiFVg4FpqMA'
Source: RlZ57mJ5Ug.exe, P9ggoQPbevbFZJGMqfr.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'eOeNO1MX1s', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: RlZ57mJ5Ug.exe, V185b10UXX9xaS0rnJk.cs	High entropy of concatenated method names: 'GFU0w0CXTYAXlbUjxhb', 'j2FFSBCmwRwhubQriDG', 'ntcGrLCBlgVRdTG7vin', 'Uu32B5CQpO43yYScivT', 'yDHDv7CjafLMlMUaYj2', 'kLfXR1CNC3bPOftl0KF', 'EAwQ98CFydcPeWDmNk4'
Source: RlZ57mJ5Ug.exe, f3PpLZjoM431DhX3ei.cs	High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'un9jcfQOuZYouHQe2Um', 'LF84wTQKXC2IBFI7WtD', 'R2jqC0QgbkkmqTnor2P', 'vOJhKmQiCGPoo1yR0fs', 'WvdpLhQMHsWRYbGMJBL', 'hx8JJ2QSEVA3Ex2quvK'
Source: RlZ57mJ5Ug.exe, uuXVt2lqCR7SPnGsp2L.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'HlN4y5NUNRw4dSB4yqS', 'yudXhfNzA6g96K4pr4D', 'x3Chf1FkQuXYLS6htV9', 'A2LnPTFrSf9TFY3SZDq', 'tSYAwpF675DrTbHrn5n', 'eMdlTaFBIC7KcaLagki'
Source: RlZ57mJ5Ug.exe, TMvQ76lK7Tqfsahi52P.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'Te5c4Fj0c1ngaBVZIsm', 'bXZu3Cj2pgjXdUdHf2e', 'glheokjv0tAJUW7Gg2y', 'dL1hy2jDlKlRD71RJuf', 'c6hZh2jwu0F5QqW6Kxx', 'ixc4L1jRJBA2KyxBisn'
Source: RlZ57mJ5Ug.exe, FRFHIgiHQiwjKHGqUV.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'X2vg3SQYrD2i8kRnhnv', 'isftuBQHcj59D2EfZHk', 'fteJAUQ5kfRwuH6PurM', 'akEiTPQPE0CdxD1j7Pr', 'LKIad8QLuFHbNPvMWUr', 'RaNNEMQykNIPBdciCGS'
Source: RlZ57mJ5Ug.exe, hZxxHUmM24TZRNvjWf5.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: RlZ57mJ5Ug.exe, aUVkXIl5WvialMerJ5Q.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'jaSB59NkHptRvOUkpBP', 'y7qS58NrOBao21FQQ78', 'eFstSgN6Q1sJhOJTOwT', 'gkHHpgNBulL3JN5FwC9', 'klTc3uNQXNnfNhg1jGi', 'DAbQB2NXHA973IUdY8y'
Source: RlZ57mJ5Ug.exe, tewd25gKv76Ag2AsBN.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'SFAjlbBtHaLTaToQesX', 'sZmLwQBEJBabt4A0xO7', 'aX7CEIB33wT7siCS6ES', 'NGYheQBUpPtSiE4qg6t', 'mUqonwBzbFgaq018kZd', 'ffTtNVQkNeblbS9222H'
Source: RlZ57mJ5Ug.exe, t9JyrPwxOKM1s1Ckr1.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'fG7Qo2B456VfCuswF4p', 'YesHUtBopZktTmFUiED', 'ojM16PBCGD2AlrTAxHK', 'vhoftWB0Re29qRmCuZ5', 'ObQmRDB203ViCRGlblS', 'BHkNJvBvoWakII6IvIr'
Source: RlZ57mJ5Ug.exe, PUZfXIDr9CGbEEY0cMQ.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'p8eIAfgnuV', '_168', 'L0tVF29VUPetKMXc9q3', 'y1sjUc9qvGy9o8tOKEg', 'kmSALR91jNCpuRh7ecj', 'wcPUui979FZbmHBkq3D', 'tKCZCE9WBU5qSB8njDc'
Source: RlZ57mJ5Ug.exe, YM9uVBluuKqjjqB9hlc.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'ag8IysOdXlYqDMIW9X0', 'euYt83O8CCMnQnM4KA6', 'StRa4lOch5HQEP7jDj2', 'KqDNLWOhXGMPKHXHlnG', 'Qhe0dQOA2JVJxP9Cnuj', 'wtGgYHOZHcMCN5f9h3B'
Source: RlZ57mJ5Ug.exe, hWPBE3pQj8QirXpQei5.cs	High entropy of concatenated method names: 'PHL7OFSdjW', 'fli7QF1IGc', 'S2X7NcSTNu', 's9B7qbBfDY', 'tG47TiX8hP', 'MOH71I3K6p', 'Ygh76RcKxF', 'cLZ7cCGtUI', 'uF777eJMeA', 'Wsb7fm9ral'
Source: RlZ57mJ5Ug.exe, WM7q8Cpx4OhK1JoZRT.cs	High entropy of concatenated method names: 'Dq8SCx4Oh', 'UIEb75JPYEUxP0IxL6', 'JwqOjin0hWIvmPv34l', 'k3YbhHltTJWXtKt0dh', 'sIv86jxvB083qS9wWs', 'zN9R9HGxoTKmLDhWFQ', 'rj79dLfX9', 'BImDc7G7t', 'kZLmTgEJT', 'kKu0iaHin'
Source: RlZ57mJ5Ug.exe, bZhu6j0f7FTJml4LDwu.cs	High entropy of concatenated method names: 'DDDOWSsW1Z', 'L2pOuiK5Z2', 'CV4OkgU7y3', 'OA9OZyx59P', 'oHpOLPPg33', 'yq6OhG8VG4', 'r5hRrxoa6Yr8qLfnjWx', 'Ox2wYeoefsSAnMDZsi7', 'A3tTjZoT9hf8t36uswG', 'c4TQyIodMpE5QYEx0oJ'
Source: RlZ57mJ5Ug.exe, gOsRcfDZR4LWly8IGKl.cs	High entropy of concatenated method names: 'K7eyZPuo5Omy6qHPNq0', 'h3vRlbuCrYM7ZP48syA', 'HUiekLuGve6sivR6aA0', 'yP71Peu4iS0vkbYabkb', 'IWF', 'j72', 'n1DVxO4Bqp', 'T7DV5i5r63', 'j4z', 'GWCVyJYc32'
Source: RlZ57mJ5Ug.exe, pknoJJ4fdVNbyYWECh.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'GRSSwOXSdR45GjFwftr', 'wHN5UGXIr5iZBjGyJFB', 'USWWbFXfwcEbXZd69JS', 'BH39uHXYCIe70s9oxU0', 'rEX4tjXHyNUNCZTf5bQ', 'uBLWknX5rHEDLftyGFD'
Source: RlZ57mJ5Ug.exe, Aqt9PwhyPFkgCYjakw.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'agvqf2XAK78d9Meelhb', 'ispJ8JXZfEeLAF3lP8X', 'doTK2eXtRgUGyRr5nvj', 's6tB8eXEcRC9opmnpR5', 'qAtVwrX3DJFwDilhA9F', 'TDRldlXUoIKmD15Um5P'
Source: RlZ57mJ5Ug.exe, QUs19ruOtsKf7M6e5W.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'aL36OlX7GfG294IRHFi', 'WabiL0XWZSVjFbKvyP9', 'waiCB3XpexjmMCDesua', 'qbqeFnXny221MZhGjK3', 'lVMNxNXlW06sPXU38ae', 'NfyBdyXJH1qGu1pCAUu'
Source: RlZ57mJ5Ug.exe, KHOvWo0qRG8MewgdUZf.cs	High entropy of concatenated method names: 'z1DOUSACci', 'kM6OgySqAN', 'A1lO8AlM9C', 'iNsOjNdOtv', 'F4BORVijji', 'IpjfIqo7gFEpO1HAFYL', 'zniVlaoqwIxsaTdNwwF', 'rNxkjHo1vcoCxfgBKZF', 'U88ZcxoWjhNItjhgpOZ', 'gygxtHopiejHBL1LZQ9'
Source: RlZ57mJ5Ug.exe, cRcBK5l48qHQZuwZp7b.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'QjuYw8Olif1QJd9dnaR', 'UDj6xVOJOCmDHoJWBG9', 'cCBjEqOxr5S4IN9ADfN', 'bUo47GOGQXEDLyGn8sc', 'BsQyrFO4HaQCmQGTYrx', 'L9exhLOo6xKKsn4LKa3'
Source: RlZ57mJ5Ug.exe, zEBfMopSea6dNuQAYKK.cs	High entropy of concatenated method names: 'UNa7vqeqSxE1XME5qxQ', 'dTDhxMe1crTiAY640tt', 'XZ7X3Heunn5wUTedVpi', 'XcJCSDeVTd83ZR9Yeii', 'tau7KKhKD5', 'lRyEqgepHeFfCvLscfd', 'E27wH9enx4bZdIUHj6c', 'nSX0ZKelaL3hIoqXDYf', 'HB7UrueJZIWWibOlU04', 's11rOyexx6P2iv2o9aK'
Source: RlZ57mJ5Ug.exe, PRu3SupM3iXEj7v18bb.cs	High entropy of concatenated method names: 'BaL4ulBBZsh6Z', 'GIu6haeSm7URMpObjV6', 'ao1pKfeIgjVSct1AZas', 'JLSMPVefW8YLiLLlxrN', 'mVCFDJeYgAlMxP4RRUs', 'UIP9wseHR30yFd2EGpV', 'SP8YIZeiesKxUQoRavp', 'wXiub9eMyl8mVFyENse', 'c3Qp9me5QAB0ESRwoRm', 'U6qbJXePfyIxDSobmp6'
Source: RlZ57mJ5Ug.exe, MVvj5nmhLiZIvEqarVd.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: RlZ57mJ5Ug.exe, avEPm3lwwj30ImJEd02.cs	High entropy of concatenated method names: 'qXxlh0Ylrh', 'AtsxhTso02Xm0OpR696', 'bwHDK6sCebjc6LcaN5D', 'i4ygmOsGFb2HcYKapXV', 'NUyZ2ms4wasWdxLKiDU', 'M38MArs0PS3pIuUdoDR', '_3Xh', 'YZ8', '_123', 'G9C'
Source: RlZ57mJ5Ug.exe, nOpWbWPPWncxo3una0J.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: RlZ57mJ5Ug.exe, MXLIpLDlkPY1atGHY3s.cs	High entropy of concatenated method names: 'CFJp6XrUyH', 'zFLpcuYt9p', 'WQLp7rTu8J', 'wompfnjmZR', 'oLKWcIHzk6ljn53D0dL', 'qaBTgXH3jBkfmcooTCW', 'Ef7wnvHUEbWwp1du5Sr', 'trKKJ35k3QioGNeBhAr', 'wnZmhY5rE9prVqhhHra', 'yuwhLm56hmiRelGZ4NI'
Source: RlZ57mJ5Ug.exe, WLl8yflrSbHCUgdOfI5.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'MBklvVOLMmmI5KMVdt1', 'KRfrOSOya0PNo465Len', 'tCbQDKObUGHJdj2vSHG', 'dJZx2iO9etRRjkD0xte', 'dZQ4UYOuut9xTvRaQxr', 'O6QUZHOVJ8a435g0vVi'
Source: RlZ57mJ5Ug.exe, Ya2bh19sv6c9Ys650Qd.cs	High entropy of concatenated method names: 'fuFm37TFEe', 'POgmtOqanx', 'NsBmsgmknG', 'zZ7mbaQqCQ', 'NHBmO1voFQ', 'CCbvRkIkjPWvKyRjle9', 'cEjrqtIr3UkMYsJdIOE', 'uNEsgHSUo5etqlqeNqX', 'OywllbSzM4rB9vwdhqW', 'R8s3EJI6Gl3WTWQTaYv'
Source: RlZ57mJ5Ug.exe, zMTPLu7m8e9UwrQ1Uo.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'vXngZ99YU', 'w8hUbT65hOaXJRo1WGW', 'd2mpSA6PRBUdRQvSCVB', 'mchIMm6L8P4R9nxRPMe', 'ui4dpo6ybAeka5g0dsv', 'PTLGve6bNyxQ88pBmYs'
Source: RlZ57mJ5Ug.exe, YrpYbG9KVHo6fWT3S4P.cs	High entropy of concatenated method names: 'mEDDZRcBK5', 'HZGVlGMBImJdg6sntWs', 'kg4s0cMQTMwGZys7blY', 'XbJMsEMr9PeYCBtshdh', 'LELFFkM6sfwIWSx6Yj7', 'hI39YRMXCeBGZ2MdfTt', 'q086S1Mmc6TFZchi13f', 'gbMdxyMj0w3AfRYsAkQ', 'M69bNIMNpRI291nuJs9', 'PJ4ieVMFOaos81IveZa'
Source: RlZ57mJ5Ug.exe, bTVnfcmIttuoJOev1DO.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'o18KvbbHUg', 'O25K29gv8S', 'r8j', 'LS1', '_55S'
Source: RlZ57mJ5Ug.exe, rpaXl2lDRO0jah2qmaD.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'P3Kma6mp64BQuI8th4W', 'dA6dpKmnLvkXGpBwXQR', 'Fg5AIlmlPVA0j9GeQ0D', 'FB2wWlmJFdkX9MnkqdI', 'mYQfQNmxybtwWcOvCyb', 'S6EVwMmG40NCT7N9c9X'
Source: RlZ57mJ5Ug.exe, RZkAuiPoubQ74vUQ0T7.cs	High entropy of concatenated method names: 'KbiQFAcY3f', 'bBaQXwYLGA', 'u10QYQUGRT', 'SXyQrkTFX0', 'i5iQImisou', 'otQQ4sjBJX', '_838', 'vVb', 'g24', '_9oL'
Source: RlZ57mJ5Ug.exe, LGO7hU9dCbxGjby5r0c.cs	High entropy of concatenated method names: 'L8G06O7hUC', 'tTaoQQf3yfuifbuVc3l', 'Kbdu49fUOD7qqVyj7Ms', 'B19Zhcft1v6mq3iNnKA', 'sqxDAOfECuU54VfjWZe', 'M65XP6fzP9IMFCDUhwt', 'QI42veYkyN9w0FO6A62', 'SwyjmUYrAgG5oB29DR4', 'iZkTF9Y6ZBxa5WZOI9P', 'kn0o2SYBEeHKwCuyVYp'
Source: RlZ57mJ5Ug.exe, JjaZ01mCnfRpIcWFvPW.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: RlZ57mJ5Ug.exe, L0J9DHlaCWbdbufbXI8.cs	High entropy of concatenated method names: 'NOf9s7LBhU', 'YEb9bSmDCs', 'vsx9OWCuA5', 'a89bbDKOM8XCm32ilLW', 'UtHGPuKFay47YWQVA0L', 'M0UPDTKsh5a58VN6Grs', 'q3a2abKKLPS9Ok7RKYY', 'PQXUJZKg19urq8JrDbb', 'w977HPKihxlyqC0PE2o', 'GIay9IKMmbAQZg84aM5'
Source: RlZ57mJ5Ug.exe, ojbFwYl17KkNk3KHmIN.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'vTtm8wF4PYyJDlUQRJ8', 'un6ogfFoTQJwPvXWsDu', 'Ag1xe4FCdWYaAEtL4k1', 'SasOMkF0JfwE0FJ1lEg', 'fcxOhTF2YmwmRfIHoFC', 'kqtTxnFv0U5v3BkvPWO'
Source: RlZ57mJ5Ug.exe, Vl4dXIDjBUkjogIN8xJ.cs	High entropy of concatenated method names: 'sg9', 'M3eI5JH59C', 'lx3ChFf3Jm', 'uEVIpbU95y', 'w4BRUWbaZ00tgIu9WQP', 'lhEFNdbdkgyVAEeOFhp', 'Nokuxkb8hIPmN6uf2GQ', 'opKctTbepGC7Ow0VV9A', 'heFfTKbTlBGPTay7OfN', 'Bafg2NbcUNjYkAefBdc'
Source: RlZ57mJ5Ug.exe, AMn4OWPE8Y05Hxt1TY8.cs	High entropy of concatenated method names: 'E5j1wTcR05', 'qd8pmpwpVd1sA8qeQJg', 'O0uMMewnF8YnbN4bWjZ', 'dIDefNw79LMco9lJSUj', 'uSVOoowWTX3qopJPniD', '_1fi', 'fcTT4Y0lB1', '_676', 'IG9', 'mdP'
Source: RlZ57mJ5Ug.exe, f05n6B0WUFTVIfkgdTp.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: RlZ57mJ5Ug.exe, rvfytXr4KuVsAlCOem.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'RxkWERXmlCTdPbt6dGY', 'hwbcLjXjqWD15DVfIGU', 'WxE9e4XNJgXKdO1V9TX', 'NaPFOjXFaYYMwVHRdyK', 'XOIrJEXs6JQWZEEkjJR', 'vJacSLXOMWf31xWeDat'
Source: RlZ57mJ5Ug.exe, chubFJzCXa5KwwkHvU.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'CaRrxomBjF1doISfopr', 'txWRKtmQGHMcnyHgSfb', 'V3xy9ImXMXnN2ZoQ0e8', 'rIfsV0mmJULZlM44r68', 'FqAElVmj6vxLFekcsEJ', 'BUZrLfmNQ7vUuav35uI'
Source: RlZ57mJ5Ug.exe, wZSdqD0LU2aKwUtBYLd.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'T2OQb6YlwJ', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: RlZ57mJ5Ug.exe, BkDEdMl22GftajZ8Mib.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'z0vI59jhAEL9UWUKN22', 'mQXYH4jAeC9A2rMh0Gp', 'C0NVxHjZXDNUrN8q1va', 'EfdRJUjtQBvj3nasiUn', 'dkKQ5EjEPK8LMC1CwFD', 'X1Yiymj34pv2uTZXIQk'
Source: RlZ57mJ5Ug.exe, WB58OsD55jqYKVZEbXF.cs	High entropy of concatenated method names: 'o4TBWZRNvj', 'Tf5BuShaGf', 'hTSBk6Q40o', 'HqCBZCl16L', 'y04BLtlIMD', 'CuEdYNymWtaMgmW6wcj', 'AJPHNYyjJcpS6mW7ht7', 'yOJvhhyQ2twebYEgfly', 'g2BofnyXcepmN4a48Ct', 'QStJFVyNOZpIJQ2LJbA'
Source: RlZ57mJ5Ug.exe, IwR728mucJqZFJLVBNm.cs	High entropy of concatenated method names: 'PPKKhtbqUA', 'lueKdabgoD', 'yRgKHwoHZZ', 'sXYKE6koLB', 'oHDKwMUHJr', 'UYSKUufekf', 'pJQKgX3Vh9', 'ScKK8mCoYh', 'BCVKjDQvPX', 'HyDKRtF1Cx'
Source: RlZ57mJ5Ug.exe, bHkErFsG9ZSihw0UsL.cs	High entropy of concatenated method names: 'neoOm4t29', 'hhbQ8ra8g', 'EyYNRsmMH', 'Oy8qlR9CQ', 'NdRTsRR2D', 'W9n13VjYj', 'ELJ6bvv9W', 'kwNNV5rNifoho1BB7tX', 'ICkQburFvyfQL695qVT', 'yGsKGgrsr9BmS7tAw2C'
Source: RlZ57mJ5Ug.exe, rUKUDUlb40Ba54pqlcc.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'hgenPcNGfBejyOHEl79', 'V3ErNHN4MJ8ZWknD6yp', 'dGnLoSNodGJ0opFCKtF', 'QPE2N4NC4mGC2HPoS8D', 'qlfbdNN0LLojWYcCxLu', 'mbFylYN2q47ZhSLCNPp'
Source: RlZ57mJ5Ug.exe, YnhTNdDzalA90UjG8MR.cs	High entropy of concatenated method names: 'E6RVTVvj5n', 'WiZV1IvEqa', 'RVdV6w1A8j', 'DGPO0Cuve29hTkPlCOV', 'g8X8BruDbJmH7BAVExU', 'vvQbJcu0J0d3ujkg9E7', 'f7R6apu2ckLwqXcLxXg', 'aCn2nvuwGJ0LikwU8iQ', 'OXMbHfuRIRW7urPPDvb', 'TogrqSueRD0GaxyXZRF'
Source: RlZ57mJ5Ug.exe, C4AfKx9A6ypF5fnOb3r.cs	High entropy of concatenated method names: 'we8mSNZ7IC', 'bO1mKbMVVf', 'FplkLlSufAw7f2hKgFI', 'YY4sorSVXJoWPtMsEHB', 'CgNNfsSb8jkNHNlCaun', 'lmAb7WS9ulONUTc5s8U', 'SkwUxaSqWiMO4mkBu85', 'r3cFpwS1Q5BRpghmZcg', 'UDlrPjS7btWjaPGLZn7', 'OGs4OeSWU8IbWhVLEww'
Source: RlZ57mJ5Ug.exe, dMc9cjPq3PWtT2JeFnn.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: RlZ57mJ5Ug.exe, x1QEhgDXMWbaLO7cRLe.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'D0eIdwFfgq', 'z1kVm74Ioa', 'zx8IteDPXy', 'FxMY4n9iKdxbGZnt2os', 'OBj0Wo9MEfNbv8mBe3n', 'SLlush9Sg1tcM5DZVOm', 'BQ2rS59IR5I2rr1H75I', 'M38fd49fM24n03A2Bvp'
Source: RlZ57mJ5Ug.exe, epPT9TlMR7hbocquwFb.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'YRwPrFj5M7PehLMZmxw', 'macWVsjP1ErMgdNUmts', 'hWW7kvjLQdWdUJWZEOS', 'hW2PDjjyKp0SPXR5mTU', 'dW5UWXjbKJulqMNiWWS', 'AHXMMVj9RDp6HpWxZ2g'
Source: RlZ57mJ5Ug.exe, m75jxOJaAeL8Twu6e6.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'kfvRQ0y1e', 'KmggVq6GOZIocgUcXdp', 'pGKwAo64kC1ORCmwD0s', 'Jgx23I6orEaPIRa7Zej', 'fm07oO6C42D476Cw8Vu', 'PwJBGU60XLPLURnLq6I'
Source: RlZ57mJ5Ug.exe, polhXNmOnQNT3RAMy54.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'oEpSot6O1P', '_3il', 'OUJSl22lnX', 'whOS9xW6vD', '_78N', 'z3K'
Source: RlZ57mJ5Ug.exe, CoEvUIlpYxu0NXhJ2Hp.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'SqxdnemZ4ckjfOY0uHJ', 'HEXDD3mtYwnil45k6BZ', 'bcj6LemEDAfVOS2PIw5', 'o6XDlQm3aMpWgRHUeqF', 'VsZNNQmUP0k4feuJmyC', 'mAaWPLmzWhqtd28sb4t'
Source: RlZ57mJ5Ug.exe, mt1UfwltsakNDOfvC4i.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'T6q6XyNuNTZXp960EAe', 'A9hiRnNVf0DaM6nrnlf', 'l8oWAhNqfL12WKUZ3hf', 'ErKmGqN1YeIxIWCODbg', 'tUGG5iN7SMhoM9Jfc9Z', 'awFO1dNWaPnp2WwYwpJ'
Source: RlZ57mJ5Ug.exe, syMqmcDVpX3La27gDSw.cs	High entropy of concatenated method names: 'eTnBJr8qpy', 'wKeBdd2G9f', 'NedBHihddJ', 'kkB4PeLMYiuH9okggVT', 'fdChriLg6XHCGFki8uO', 'XSQMCpLixxtfKUAL84d', 'wX3wUkLSgQxpICbFfAa', 'b9wBvNFYvZ', 'saqB2Hgq9v', 'TjIBxN6dqo'
Source: RlZ57mJ5Ug.exe, fr8HKYDtaXhoORNZAtr.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 't5HYKpbibP3taG7CgMO', 'IJjEgtbM45a6kPJIXGr', 'RxNuiSbSyaTuMJsOimJ', 'JnGZYsbIxQsWTwojKwS'
Source: RlZ57mJ5Ug.exe, U8Orj19C8FuDOVauxp5.cs	High entropy of concatenated method names: 'rWODfoyDv0', 'TluDJuXmpN', 'DxoDd48Pq6', 'mw9DHidtJj', 'EgODE7JKwU', 'fdLDwBJwBI', 'm6ADUbXrP9', 'TUajSgiuLVsr8FqAKMH', 'KE5heIibgKbN6KdmN9a', 'yZGeQNi9u14bVHqB8E3'
Source: RlZ57mJ5Ug.exe, eir68OP7uP9HVv06PL4.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'DUsqQL2oTi', 'HvVqNOMa0e', 'W4rqqkwvPT', 'G9SqT2q0vf', 'JqJq1mgeqq', 'FWbq6305ZC', 'HPt5A4DoojZoO34qRo7'
Source: RlZ57mJ5Ug.exe, tmiOmlDi1aT8wWKy7PQ.cs	High entropy of concatenated method names: '_5u9', 'ANwI9uxjaQ', 'A4RVouE0Ye', 'hB2INQPTMw', 'dexWhKbENQ4Y2WQ37hw', 'ALhPVcb3kSBxDYxNctd', 'tbAV2kbUIpmhx722nCA', 'QbYDxxbZW0TnwIVnRKQ', 'pYNlk1btZ3kgKjrtOmb', 'v2c1UKbzPd3lsgioxoI'
Source: RlZ57mJ5Ug.exe, Dlg8XTD27LkcP5NVAeo.cs	High entropy of concatenated method names: 'TuwBrc7WCP', 'gkqBIngDKs', 'xSCB4ZxxHU', 'Na5mLyLeIXQgyhSUVpZ', 'NXOrx4LTd3OGk1R4hte', 'YLDVtYLarTDxpcBe6uG', 'Wx1rwLLdRxXLOSOOuB2', 'hl5p7XL8tMCHGxUWwMS', 'E1CDPFLc1bBp2YpFsQO', 'zqjhHyLhC8TT4xGHaCq'
Source: RlZ57mJ5Ug.exe, leeoNuHt6lwcwgxFDV.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'vVwudi634xgQfNIhJ2J', 'DfoZL96U99kDWVIXD5D', 'GvYdA56zvVfUkLtwQKY', 'x9lligBk7PigVKa0eR8', 'fgrvObBrRcDTmDbuvRD', 'k7M2MuB6C9XCE6SW26f'
Source: RlZ57mJ5Ug.exe, IhGgVil0I15AOYZYPih.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'V6MsrcmeD93Is1iLGN8', 'FyVxGAmTQxjL38oli9D', 'MGSWL0maVgkS2YGhnhM', 'vDj2tJmdw6xkSG1cTaI', 'mjPbAkm8wTQn4OZMd37', 'KNugOkmcnxZ78y0gNYf'
Source: RlZ57mJ5Ug.exe, ARIHdm9yaLlJmGWl776.cs	High entropy of concatenated method names: 'KrUDzRhM9u', 'iBumoKqjjq', 'h9hmllclmT', 'CQfm93fHAf', 'dDemDSMuf2', 'GQommPfPe2', 'v8vm0sZiPR', 'hMPmPHDrDD', 'nPympA1n20', 'rm3mBxIhjp'
Source: RlZ57mJ5Ug.exe, sy8thcPiEbEcGhMP9p2.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'ibV6CXvrKp', 'Mv46VuyRyL', 'DI76MaRCqM', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: RlZ57mJ5Ug.exe, E2HQoPlZfPe2s8vsZiP.cs	High entropy of concatenated method names: 'H5u9GEcoEv', 'BB69SMKmolDYyU1hZne', 'ymW8ocKjuOKPDPM1UPH', 'KkweeMKQW4FbVrKnh5G', 'c9YhYsKXBioP31qTaYb', 'w1tqXUKNAVx9OB9UiFy', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: RlZ57mJ5Ug.exe, TXIdmHmqMPt7K96N2j4.cs	High entropy of concatenated method names: 'klZSJVPqXj', 'IiBSdN1H9p', 'dDkSHJKCPP', 'AewSEtJMUG', 'INhSw5UsOV', 'rurIjp155L3SOUnlIdF', 'N8ZcxP1YdKEahtxgeEn', 'fTNLPA1HWaryZ1bDldc', 'SvrnaN1P88Mo1edrHkT', 'aBkZns1LxlpKDUjbH68'
Source: RlZ57mJ5Ug.exe, N3DKf3mx7I4uyyqkOFW.cs	High entropy of concatenated method names: 'bR7emqtjNU', 'Xs2e0lH1Q2', 'JtfePmIXJ5', 'h5KEngqfAwrjQJAvyo3', 'a8nsMeqYFREdpnOH3O6', 'vxuKR5qSwuvCS8MjjRY', 'D9bqqmqIcNXO1aVaWr1', 'Q8TNkSqHOYOvPM2NNNE', 'FD9IZRq5QQWRVPFJTRr', 'IhT6fJqPTvkrIyyr2EC'
Source: RlZ57mJ5Ug.exe, sc4KdbPt1Q1P6QvA1rN.cs	High entropy of concatenated method names: 'RxsNA86iX1', 'BSEN3e1LLt', 'ne3NtsLwIH', 'WtVNsKGOHw', 'rExNbuFnjL', 'v87xOM2EATlU7LGAF3D', 'BjvDlY23w14M2lF6e2h', 'bRq1nn2UTNBKcCmCpin', 'NqRBOm2z9NJ5fW48ZvS', 'ev9vsuvkQq5idVdC816'
Source: RlZ57mJ5Ug.exe, wRNGNjDm0YWcLpTOlmZ.cs	High entropy of concatenated method names: 'K5fpjpKZ1R', 'CDepRTV3Fm', 'Um9piZadik', 'N8vpFGjwbs', 'CEepXnDlHQ', 'jMFpYtnkxg', 'ejkTGk5Wrc5Z4eEiG3l', 'Bhr5Gh51cxDIbH0hWVf', 'cCC1eg57n0f6mfFhwCZ', 'Okot4W5peb1brPl555U'
Source: RlZ57mJ5Ug.exe, dBWIjCP94ZC5HCVR4Yj.cs	High entropy of concatenated method names: 'gqhNBLwyd1', 'ukQNCLUTdg', '_8r1', 'QDpNVI5FnN', 'Ru6NM6Ynfd', 'bXqNnb3MyU', 'uBRNeBEjE6', 'kAgy9e2IfQ8EafT5BdI', 'Bsrkn82fucdLBgFXlrI', 'VIych32YgMwSqJNE8Vw'
Source: RlZ57mJ5Ug.exe, l6jVW20DE2RftexvxD4.cs	High entropy of concatenated method names: 'FDpjGFJbTVoEqgyCaV4', 'AGWnExJ99odBJX4qkN5', 'c0MfS5JLjMVeZrm5OJx', 'B0bDnYJyd0SUiXn8VEV', 'mUhAOsnVN6', 'eGbfMjJqUZxA3PSoflb', 'F831puJ1lPQrAMKScc6', 'E6QrjNJuHnM7gjj68gV', 'KBaS5MJVRQ2tshrAt4V', 'gKdryJJ7MT27FthMjkq'
Source: RlZ57mJ5Ug.exe, MOY72X0Cgq15XOU56nd.cs	High entropy of concatenated method names: 'ID9OAHWiJ9', 'VY5O3wqWIv', 'etD8C04AtxJKyprJbwe', 'HTqUko4ZjNlWvgPZnKe', 'OVvxvv4t65Q01pramKI', 'MOla9m4EgGqn9XmjHCp', 'hYKh9i43MQ75S9DZsX0', 'LoTHY24Ui8dlelceL47', 'aRTO6G4zIJ4pKQnknBT', 'awyCSSokvVYBv7TK4Qp'
Source: RlZ57mJ5Ug.exe, po48Pql86Sw9idtJj7g.cs	High entropy of concatenated method names: 'qPF9lkgCYj', 'Ykw998wwjD', 'fvd9DFlpoi', 'afOE6osc0BxD7BDoZGi', 'B8pp05sht37olDSJjXu', 'MhrmGEsdfcfYNNOP2aN', 'OxdNDUs8qIxB0cLHodV', 'MDaLBJsAfumh0F1XRL4', 'QcjvBIsZB5gWbOjTp5S', 'voZZ7Nstf7OGyO8q7l7'
Source: RlZ57mJ5Ug.exe, C81t3kmZ7Zo1o3YW4qD.cs	High entropy of concatenated method names: 'nBYvQHnXww', 'nFHvq5fYkE', 'rL4vStpEHv', 'SBEvKIl6i9', 'YwTvvRpVwc', 'u8yv2pmHEQ', 'L0BvxMvl8G', 'kN2v54ugbk', 'K9evyJMoQX', 'UlGvGnvUZG'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File written: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown

Executable created and started: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Recovery\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\apppatch\en-US\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Recovery\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Users\Default\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Program Files (x86)\Common Files\ctfmon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File created: C:\Users\Default\lcSuFJtLNWPBXChyfo.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\apppatch\en-US\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File created: C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

File created: C:\Users\Default\lcSuFJtLNWPBXChyfo.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\fontdrvhost.exe'" /f

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fontdrvhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctfmon	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo	Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Memory allocated: 1B180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 1A540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Memory allocated: 1B190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Memory allocated: AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Memory allocated: 1A5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Memory allocated: 540000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Memory allocated: 1A2A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Memory allocated: D30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Memory allocated: 1A830000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Memory allocated: F90000 memory reserve \| memory write watch
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Memory allocated: 1A980000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Code function: 0_2_00007FF848F49F84 sldt word ptr [eax]

0_2_00007FF848F49F84

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Window / User API: threadDelayed 1159	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Window / User API: threadDelayed 1230	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Window / User API: threadDelayed 364	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Window / User API: threadDelayed 383	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Window / User API: threadDelayed 367
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Window / User API: threadDelayed 367

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe TID: 5948	Thread sleep count: 1159 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe TID: 7160	Thread sleep count: 1230 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe TID: 2136	Thread sleep count: 364 > 30	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe TID: 6644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe TID: 5020	Thread sleep count: 383 > 30	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe TID: 3628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe TID: 5356	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe TID: 432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe TID: 768	Thread sleep count: 272 > 30
Source: C:\Program Files (x86)\Common Files\ctfmon.exe TID: 4720	Thread sleep count: 269 > 30
Source: C:\Program Files (x86)\Common Files\ctfmon.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe TID: 5428	Thread sleep count: 367 > 30
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe TID: 6004	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe TID: 1276	Thread sleep count: 367 > 30
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe TID: 528	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Thread delayed: delay time: 922337203685477

Source: RlZ57mJ5Ug.exe, 00000000.00000002.2085177827.000000001C648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}}
Source: RlZ57mJ5Ug.exe, 00000000.00000002.2085177827.000000001C648000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Process created: unknown unknown

Jump to behavior

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe	Queries volume information: C:\Users\user\Desktop\RlZ57mJ5Ug.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Queries volume information: C:\Recovery\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\fontdrvhost.exe	Queries volume information: C:\Recovery\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Queries volume information: C:\Program Files (x86)\Common Files\ctfmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\ctfmon.exe	Queries volume information: C:\Program Files (x86)\Common Files\ctfmon.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe VolumeInformation
Source: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	Queries volume information: C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe VolumeInformation

Source: C:\Users\user\Desktop\RlZ57mJ5Ug.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.2161409046.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2162507058.00000000022E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2161298870.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2161568814.0000000002618000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2077905139.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2161298870.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2161568814.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2162507058.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161833890.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2161409046.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2161212488.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RlZ57mJ5Ug.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 3348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 764, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001E.00000002.2161409046.000000000287A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2162507058.00000000022E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2161298870.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2161568814.0000000002618000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2077905139.0000000003181000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2161298870.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2161568814.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2162507058.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2161833890.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2161409046.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2161212488.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RlZ57mJ5Ug.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 3332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 6496, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ctfmon.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 3348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lcSuFJtLNWPBXChyfo.exe PID: 764, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	333 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	31 Registry Run Keys / Startup Folder	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
RlZ57mJ5Ug.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
RlZ57mJ5Ug.exe	100%	Avira	HEUR/AGEN.1323984
RlZ57mJ5Ug.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Recovery\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\apppatch\en-US\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Common Files\ctfmon.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Recovery\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Windows\apppatch\en-US\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\ctfmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\ctfmon.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\fontdrvhost.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Default\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\apppatch\en-US\RuntimeBroker.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a1040171.xsph.ru	141.8.192.169	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RlZ57mJ5Ug.exe, 00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532855
Start date and time:	2024-10-14 01:56:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RlZ57mJ5Ug.exe renamed because original name is a hash value
Original Sample Name:	2708091ac73983d30f58e73c7681d035.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@40/39@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 59% Number of executed functions: 378 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RlZ57mJ5Ug.exe, PID 2884 because it is empty
Execution Graph export aborted for target ctfmon.exe, PID 6496 because it is empty
Execution Graph export aborted for target ctfmon.exe, PID 6784 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 3332 because it is empty
Execution Graph export aborted for target fontdrvhost.exe, PID 4712 because it is empty
Execution Graph export aborted for target lcSuFJtLNWPBXChyfo.exe, PID 3348 because it is empty
Execution Graph export aborted for target lcSuFJtLNWPBXChyfo.exe, PID 764 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: RlZ57mJ5Ug.exe

Simulations

Behavior and APIs

Time	Type	Description
01:56:54	Task Scheduler	Run new task: fontdrvhost path: "C:\Recovery\fontdrvhost.exe"
01:56:54	Task Scheduler	Run new task: fontdrvhostf path: "C:\Recovery\fontdrvhost.exe"
01:56:56	Task Scheduler	Run new task: ctfmon path: "C:\Program Files (x86)\common files\ctfmon.exe"
01:56:56	Task Scheduler	Run new task: ctfmonc path: "C:\Program Files (x86)\common files\ctfmon.exe"
01:56:57	Task Scheduler	Run new task: lcSuFJtLNWPBXChyfo path: "C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe"
01:56:57	Task Scheduler	Run new task: lcSuFJtLNWPBXChyfol path: "C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe"
01:56:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Recovery\fontdrvhost.exe"
01:56:59	Task Scheduler	Run new task: dllhost path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe"
01:56:59	Task Scheduler	Run new task: dllhostd path: "C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe"
01:56:59	Task Scheduler	Run new task: RuntimeBroker path: "C:\Windows\apppatch\en-US\RuntimeBroker.exe"
01:56:59	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Windows\apppatch\en-US\RuntimeBroker.exe"
01:57:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo "C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe"
01:57:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Program Files (x86)\common files\ctfmon.exe"
01:57:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe"
01:57:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\apppatch\en-US\RuntimeBroker.exe"
01:57:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Recovery\fontdrvhost.exe"
01:57:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo "C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe"
01:57:55	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Program Files (x86)\common files\ctfmon.exe"
01:58:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe"
01:58:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\apppatch\en-US\RuntimeBroker.exe"
01:58:20	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run fontdrvhost "C:\Recovery\fontdrvhost.exe"
01:58:28	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run lcSuFJtLNWPBXChyfo "C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe"
01:58:36	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "C:\Program Files (x86)\common files\ctfmon.exe"
01:58:44	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dllhost "C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe"
01:58:52	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\apppatch\en-US\RuntimeBroker.exe"
19:56:53	API Interceptor	1x Sleep call for process: dllhost.exe modified

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (890), with no line terminators
Category:	dropped
Size (bytes):	890
Entropy (8bit):	5.883652280102645
Encrypted:	false
SSDEEP:	24:fsTPqqGbA34yhpw5RmW4YaxiIpUrFF/ULyOKxV7:fsj0IbxYgpUrFF/ULyOKxV7
MD5:	45490BACA86E7B2FB6B21AE6AD616E5F
SHA1:	03E29DEB1F74459A8FEB6DC03FF49D988F994498
SHA-256:	A26E498CB388B9C7A07A2004B19E57183C744529F8232A178057C588BD1D7B37
SHA-512:	D43AA2EB612AD15A58750C6B82CE3AB4761B5A798E0DA8A74B480ED98A38BEEF54770073F1274DE7794B345CC510F7C25DF25EE2E71DB8CC0DC3DAAD77362C1D
Malicious:	false
Preview:	1MgSe90MaxtBDbIcKajByS41TmyGJtds3w9of70TzB8yb6lqo4I5cCEiRp81KtCqTBIRbe7MkQMxUFZXBHcPlhQ1rbW088IF9RfaxUPJ75VMzROLPl0DQxFwuRjAHGNlIGyCk8jr2SRqMEBaMKkXIFzLMspgvPC0rtDtdMlRBJK7fYkqPIx6g0dCRm01SD6nQa8cAR6AjSW941pxI9QmbFU1QAc1Wt87MhrFaHq7LxWNeeIZ6CtTwTMLGHM9zFo0UYwXKkXASSansGWv2C4TAoL3Vf9S5rIGJg3GsvPWosBd3ic9uaGxLUzpM3ColFFlKUdLNQDHxipSns9wD9hekV4zqN3zskvjmZSiFQveX99nohBe3PllilBzZof9XNYMwGpNZaqwNCGkVRKJMY6d9JBBYdJavwHJlx0i2yFciyXfeadIeWx8R5MnFoy5RQAb579halQYSd4Kwfh8AA6Z8I1pkNdN9KKSy5jgb5r2FZpyBC0jG04RTlcxFT6NHCYITlW06AhESEUjcDoiW4HIP39McvbH8euCAhfZpAmGSz8PQ3UCpX0N5P2ZmJXKjaFyTSi5iO3WSAzZ5t6jbZclnhGuoFxfmbh2uJ68VZdaed55ace2NytJ7eKwMxQdaYu0d6pvx8NC5BGKlKUMl4RxsX4P8JwhIA9GtEcdwsFPkrO6YAKBdE1gG6IFCaxnMq35BAahs1Z3zCNBJ8189uEDId9w6WbV4bD4xS5XjnSlp8qDtH5Djyobm0whAokVaD8X8SN1DdYVccYKx6DzaXwGxmS7fXW5C6LlASEa3EAFaS9JbmuEkv5CR2kWAQVqGcSfQxJe1n6VXqpemIf3mSVRBIUIsrZmtU979d3ocQM7yjplMGt2ucDyHBdHcB

C:\Program Files (x86)\Common Files\ctfmon.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\ctfmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (508), with no line terminators
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.868416077257431
Encrypted:	false
SSDEEP:	12:Ec5UlkFog6kG3MIvWfD2H+JXQgT+YJATtfkDGugSGfnA2yASE+11:EONF96kIefD2H+JXQis8DGvSIAQSEE1
MD5:	BAC4C4BAC8AED7C122CDE476224DC5EA
SHA1:	3FB0CDFB30A6C6EA550F1EE0174DF895EB407269
SHA-256:	9929B4CFD7271B9433B333076057096C40B97B63F71649738A4E183B8D4A061C
SHA-512:	6C84F4992A3A911A4BEA29C9208D8F54049F8EA9C19B3E769DC5861D1678790AD88036E879C3D4C1D6425985177C7E7006B16A8B014CBCB13C59A6CCEB545244
Malicious:	false
Preview:	DXIDuJL7E0Gk3SmOpA6GP5BmsBDR5KsdLpowtXh1BjDi0YzLwK7XasPHVgVtG4C4InZNn0fSdEFq1dwTM1evMUCdahaMByvGgJZM8li6op4VnjP2uChOZRrxl6xGZSQoT8JsEjVkTiGhaqz1Ric9RgrPbmlBxcgWYPCpZhyKq650KKW4G6y1zRXwQ3Qb8Tx0CtJLnKbtuSSUl0ERPq51nogG1PYgRWMXJEyaBLQ5fEGh8DLZy8MRY5NXNCTYw5cYF5LgCnQEa9Wjh8HyE9rTK59N1aN812JjmscD1oWKsH0YjnzO4fTxOINK67pmaRMhzw6zgD6amgkCEkoNk9EWjWVdeRH48uub4TjxrAr0i2KsiLFVTbBbN08dadUO6Cb1vJHuB0gkRNxqLn5TMvkhtTOEVFWOqc4fbT6YDUUc5bJ9CRSxhACKc4Ic5DZ5eS3zSSP1qgP1bHlSJOBDxjqpZuDgLedA5Y8nhUruBaGBuLtUSzTqBVI4lOZiOsqM

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (353), with no line terminators
Category:	dropped
Size (bytes):	353
Entropy (8bit):	5.822780435174085
Encrypted:	false
SSDEEP:	6:oXldcwmWperpoVUh3cyNdiaOQ4RDflErB5rWYJ7lgusgAOjPKKJwc:8ldcwHperHhsyNdUDNErBo26usgAOjPF
MD5:	50D4AA48212232094799DC551D738BD1
SHA1:	EE2B6AB9D82C9397FD4347A9E1EE06369D4C1B75
SHA-256:	D34BE5FCE6AC35FC7CD30C69C6A0E3A3DA8AC9FDE56FDC1750C1D50D2617086C
SHA-512:	7FC52A89F494C69E969117310D07C5E5C0E0EACA0D3BB7F75FB131A9050EDE41254B3243D7D32DFD0C63AEA28BEDAC25C62C110D41501D31E2DF2CC3D5246709
Malicious:	false
Preview:	LcPB2iqRRJxLFkqLnxpTdwcdGwPsQFS3Mpm3AuUrBpHJKKUnb79oLo1Y9w4FT8BM049Z7wL3c7SyoTT6clRTFnrhyO3NzOYDo5SPL4qowGMNWDtqd8nsqsGNMbls28DNjOJsBDuh4mg8adKueNt1lpW6zECtT7vxC8oH4BoaNFxELHwsQ1OpPMm32M36ABO70s6czD0diSnf2SvrSTcbsGi0WuPrHrZM0zNcLU3NAvG6jGBkbLoqiwOuJGFExIV03aoCESg7aOb79mQPtoP5CsoEldSFOya1ZPDIb8gJprQTVQuhzzVJ2ayKwkak9asmyjiujIyuIGQVcUsUtvQZcQ99b2V1h5JO9

C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Program Files\Windows Multimedia Platform\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (871), with no line terminators
Category:	dropped
Size (bytes):	871
Entropy (8bit):	5.892619411272169
Encrypted:	false
SSDEEP:	24:iSGb+n6q/9UUFvIPa6BRhcOn4/CiuBi/yKiEJr:Sb+6qWPa6BRmuAzzJr
MD5:	CBBD76F47CBCBB1B6CF85D526D8CDE88
SHA1:	9C111FF9BB08D73C2EE0227A086CA02FC3ADC46A
SHA-256:	CB8D7D4265FD72D1FCC6643586E846BFD421D5D263F756F7788430A020DBEAA5
SHA-512:	5D7A73615BAF3B332573E35348E9EF0F01D860DE718207B44C71766869D45D9F09316A14256BC1FED80CF41F6BFB623D81EF6A2704CE59A4912C92AE7D12521B
Malicious:	false
Preview:	G0NKTJhkiSqw6NM7BWyz6mtyjX2QNz8K39bE5Dpe7MJrQ4EXxyIG3m5dGZl5QRWtTf27vIC7qT2ucChoTfcYq2RRD87fcuNqzZXuBGlpwLZjuLAE16lvy8DbOk4xKgf5GM4DpxnM3wmfcsh273ofIc10W6gaMyfQqediQ7YETZ2BVh8fDBzQ29wnUDqtQM9ERWz8P9lAfjMtjzey8AXK8OXqrzNMQoxGZxu9s9QEazvSwDEfj1vQzyGC8IRavZt0wFTwFfF8uTuIdF3nusnZ3hRkrrBkr0SBG4grtSaDvwfgE7i3OnpDvT6OxsFXefQ4AtCjiM4cSjnGBvgtJHVEKOPw7R3ANDjQflfU59UCtMvLq0NBMVNWKMtvdPlQS3PPAXlaQLyJxSU7dEGHE1y1zNFS1t1pXDtz7gLTOwvAhDj11wRZJdMaFXZxRSigUIvtif972x2RGyUvnNaFbbf41TukGXB6OOpZR0SWwUgWk4URDoJD1dE2m11PuY1ev6D1I4dx4ETH5JT68dhcO7FvKxwa8DmXdBko1cIIKWJxJ67di5QR1ZQy0RqUIDz1c5o3ioFfUZR1ySlN0T1DwUfEvwyjvy9GhRVNSD43zu6cHYAiqdeyMvEHakIw0fugZLUg6X4wZ7NBXD6WwP3STL4vMNxs5IDUAaC5DdlSirZOiDtWnv9kmbMNRjUsjM1Q32B7BBSSoktlwpMJebFJIdsjNyoeJ2tV0IUpBvVldq5CrlbmWKOIHsHaKctMXyJv0YvnUhHtGdqbhp1mWBH8olOIA4fjBIOohJLT0yRzCfBoBp2ekHzVqKHPJmmZCir7OB4XeiwiuS5JjjGUCA94T37WC5JNL1xexDZAve9CVQl

C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (350), with no line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.846545606587786
Encrypted:	false
SSDEEP:	6:ep3wajVA5eZ0sLg2WJn0W8W+8AJpLDhCCRHBSCOmL5k6OxWjdQLqkANhNlm10B:eOajVA5erUxt0LMAJpLDhCSHDoLy9lhB
MD5:	B95055A7692975C61C3C865165FC95DE
SHA1:	FBFF9A9BB0D8AA7AA6BAAA03982D41D1254E7072
SHA-256:	384AEA98C47F85F89DB61653BCB57C0D1DCCB39D01ADFB3D9D4107A1B8E5D38F
SHA-512:	8B6572EEDA2C3D5B56B02EA7F83507F064248FB40F053B1A5287F36368031C8B6D0FC3C3FE8D16A773686F6ECEC86465A6FD7E10062CE74D4C46C332C7D7470B
Malicious:	false
Preview:	Lw8jQEBT5IfSt38fPrLUEeJuTwa6TLhgfVBPQWwE6c3Yvtmkqa8Tg3QqnNPdnE9tl9xY1tO34HXmlu9kJ0Q3NN9lEVmCGSa2cJxv5Os6LEYZgnF2OoUxxGgXAMTgHLwmqfKb7Op5HTrIyjFaPtyc7nEVmZus4MzASwtBdn499ZpdZYjaH2QXWUpDazzid7A5eqzC0E7myzdi7k5O0TlB5co8GqknyWgCYu9tigkC5ojh1HFz3lrJV89BC15KdTxbSbJNkMpTtiGR3HH9kvuNpWqZu8qrlajl0HOa72Or5Xaw2sI5u5jsjkw5utcmf8sS9eav2rCsgCRR64hBzv6p10CQVSpNZl

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\5b884080fd4f94

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (663), with no line terminators
Category:	dropped
Size (bytes):	663
Entropy (8bit):	5.893431376264879
Encrypted:	false
SSDEEP:	12:4ilkdsjBprbUBuFoc0Dpc0XoLr+L/RdBEWY8EWf5pnRWcxfuNTTi6KBIf:4cNDbwj7Y3+3nVnRWcoKuf
MD5:	876589ABB31280F817C41AA8CAD5DBDB
SHA1:	9AEBEBFAB37169E01B9C1EDD1D9E5E68477F20DE
SHA-256:	220966FBF3CA11CF096DC5B4261D039170C79152C0B13BDAE180401A02687D21
SHA-512:	50E9343EF13902F219AA5F0DC5F8612059DD9FBF9B0CB6D0EEE187C7B3A1D5500EA43BCCC61091F876796CD36A33F88CD9C6F8F27FB53D3F13A8C9EB115F6914
Malicious:	false
Preview:	u94aa9EjMqWeOdgENIA88sa3V2bxddqzBJK7Zui3PhuF68uzM88ZiIqBiAFihRGs9gdFSiockHtb7V7WHmkffRQ2dIYZp9V7bBFZfphnTfybZODNDta5qkNsQklJJPxlvvA6Ph0cE7L9dzdOELV5iZR0yXJ5DXdDsMpoOH7f380tYNPaGXF831DVdKH2Y4YrdIRQJy96N0CjiibkIsyqSfK0JTLEAFH8kJQQ68RSXIvDydw4sgupFsZ88aHzn56HsE9ZSKoJbgSJtGBphQVdUb22tRSf1bocMnUueXmh1kOjZPO1YbSXjcwQLGpA2JS9107FvQLJoxmuNTceDaGZJR2t0DjXrlpsSPrjSJFIQIsv0CD2oL7bC3zj7NOrrxbCI3b8l3L4U8IAiH3yAqtgoOqZZIlE4Yadrqn7lERu9CGDuzA0UarAE5X4MCjdSH96ipT2d5M5Z8hlHmojHvtdqZZvStuifxc2DKfFfIWYNwlFXwxkX9WgXgQIQhjuLoZlgoi6HjE8YVQ4yTYg6JKgb5eg3Wz8jmMjW9jtN0dy4YICQVU6JCxBd3KlKBCuuGYwIqhzuoSGqWlDwcQiC2yhyLGdy7iMxsEy9W3jxeLetrUGRGyrver1R177kEAwGGT7SwDairuhqTxG09LsJ1bSBMh

C:\Recovery\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (463), with no line terminators
Category:	dropped
Size (bytes):	463
Entropy (8bit):	5.829956321740246
Encrypted:	false
SSDEEP:	12:+JCswoKvuw0i8A0HRlez4+IMYglT6IrX1ArI1et:+J3KvuyPGQza/glJJOIkt
MD5:	FEE82DAB23F77654E99C35C63C52BF88
SHA1:	3519AD26AB9D9C2FABA74D9CC1827C98CDA8E8F9
SHA-256:	2D6990778326B7F9F7A057DD4A49BA8183B184A3E1AD23903BCB41177982A819
SHA-512:	4FF4698EFF43035B03BBA4204ECF08C923AB73BA37B3B2AF0706189F86918DDD7FDD70B2C97C861C117DA4CCFEE28D4A32FC9754E2C2B97E3C390F87C9BCB93C
Malicious:	false
Preview:	vUfgykWViSAf6YOlNSj9z0PbOvaJLxIbQTAYQVPC5f7sypyLgjZKAim5EDRCJNKvKiPmX0U2ChET2hnj7PmlX7arqEUNDN2rVMiPZMxqOhIdeTDhasF4liYMHi5TfHyzoX8p9XJub6Wzz7NXAxwVH8FwyVH1QdKHtSzHUXiCiUcoLiWKUiSsUdsqRL1nPSe8wPGgIGCnOtwwfblP97grLbwPkIzIg5xQ0e26b0COfpdkr5L0kloSwwwUc159Q3HT6g5AioxI4RMg7Mio79i4QeeEsidk4C8liJoKAKR5yfXejQWQSQCQVMCbC1SAKMO2Sk7yhXowsmGvH9ebLNSnArQVHMII2QulQfL9Sis5lPisGRUCX1z74k1lUmqVPg4b2eemxfIneXBvJhPz1FvBbxqqnkoq1WpFVG0lwrO1sMchjGbwX1dJu3AFyy8N0bvIr6aDrnDJ13SPUJH

C:\Recovery\fontdrvhost.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\fontdrvhost.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Recovery\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Default\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (713), with no line terminators
Category:	dropped
Size (bytes):	713
Entropy (8bit):	5.899337400739043
Encrypted:	false
SSDEEP:	12:SKqWytODLVX297RiHaBr0BM/qGJSzLcxM4Q+G6qLGul6d+4IOnDMuVlUtAzfhes5:SKqZtODpX2fLr0ysSf9S6d7ZjVGGzfoU
MD5:	4B3681865D130F6D65DF731EB892F898
SHA1:	0A7F73B9290B347346317439388F201AD1088F24
SHA-256:	98428083C5868C08277BE22AEEA30825631D8B6B7F228D5E94AB51C1AB961346
SHA-512:	5428734FE7270BCABFD03817D3DAD68A1E1AF3F8692C4E2F36533E224DD750AC97B79E0450DF89F7A7FAFC55719A00F334D191C8494E90E35D383885A4CFE415
Malicious:	false
Preview:	eJO1aVFYccct5l8g1RQK08AvLbeDtf6n3emkn3BrttiBotGKLrbUwg2fIdq91Bo7fzzb9X28PjaGa9GbUU1BDm1WmGcKMC0rEkfy4pLyydEMGvFJXOogKn438cy25svNstCzdRgpJDMkhoQ0BSx8XThbqm0c0S3Gr1eXtPqFr8XGaTVUL70m5xzZLkI1bEz0KF2qJ3HwmrQZ6aAWQfQ2cQL3BFLIGzonJh6UapKS0DANhadukvk6y6X349oEs8pxDnQYep6kU7CYP7WllaiUOsyMJCabAGk1YNK4JEQ4z9m049o6nDdRaViUyEPbOekOXLACxbbhKneOG7SJYey7nSaCozFFyypVZXds8lILm5Hx0UO1vFDuqmkFu7X7WVsV7JysejLwVmUrLnMUlOTtv5owwY8BNLzRMwzqfgWM4QZDS34GuDWHB9kCfB5GkKjKxDeYxfyE1Hyegke3d1QKzrPMMxLdlQlurOQOYfTOPRP4LFg4hBmt3YVFySMAUUdlfExRTPf8iB5hcVBGQR6jn20S3LaGSS44yoYGRPkRgnL2dxmcQGtDY38nNeXIzYqPGAty74zBqpD9q7zGi8zMi1g4pu3w1cbH75vcEyfVQrWt086PpQj1jerPeyIMBCJON5CvMXCtcd50exDrynHl2kicNg7PqSUOiHg55KDSOzYFj0urvaXY5iWmWkhpZwDJJrSWRIwnj

C:\Users\Default\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\Public\Music\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.4838561897747224
Encrypted:	false
SSDEEP:	3:9qLltyJdTk:qltow
MD5:	6C39B0DC9BE24C23884437433EB94E3F
SHA1:	40D61439CB17CB63A9FA7C21B6CBC6154A8AC656
SHA-256:	937D40B1A7C7FA2198BFB0DFF702BBB5C440465BFC7196C05258909DEF5F4C61
SHA-512:	6F335EFF2749B6C9FD71D1AC95DF03761F9AEC5E0DDB1CAEA946B2F779C2521468EAC6DB6241CCA2E6D9A1E2AEBC11E64CEDE649BFFEAA741B1D5922BF9B867A
Malicious:	false
Preview:	QaUznqYFtxUS1kvuorbE9IvPK

C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Music\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RlZ57mJ5Ug.exe.log

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1740
Entropy (8bit):	5.36827240602657
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkhHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkhtpaqZ4x
MD5:	B28E0CCD25623D173B2EB29F3A99B9DD
SHA1:	070E4C4A7F903505259E41AFDF7873C31F90D591
SHA-256:	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
SHA-512:	17F5FBF18EE0058F928A4D7C53AA4B1191BA3110EDF8E853F145D720381FCEA650A3C997E3D56597150149771E14C529F1BDFDC4A2BBD3719336259C4DD8B342
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Download File

Process:	C:\Recovery\fontdrvhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lcSuFJtLNWPBXChyfo.exe.log

Download File

Process:	C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\Microsoft.NET\assembly\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (521), with no line terminators
Category:	dropped
Size (bytes):	521
Entropy (8bit):	5.853186876598269
Encrypted:	false
SSDEEP:	12:Nv8TnfEFYoKSP+bL7LU5ORrz2jZqhdIzuUoTE7ZBahsAb:Nv8iSSPaL7V9zeZMOoCwsAb
MD5:	97722C875535B988CBB52676A1E9548D
SHA1:	AC1D3FA119B38F601DAE19B02539CF892D4DC8CD
SHA-256:	A024AC27C3E75A29B3FE4F2BD740DAFE33440F910D9F88962F55AC34FBF77B89
SHA-512:	A22B804527609AB8FD0821CA88632AFBA1F05A5855480A67A880B7207A50CF77B8721EF93DB81801D902C4A9242ABA871CD46033DEC14AB2C97651CE9D7790EB
Malicious:	false
Preview:	oCWChZXdwntEFT2gLRf24BM4qQePowHWKsfDZ16ec8m0OK0pO2s96SlmzcWR5IyAgW3XyyGTVAa5YWpgZzAwEHZ2H2O6fojUJmU1Qd0ZvYo61qOcwz1GHC6Y7BP6kKxqbGvwCxQ68kBpddAbovKqxcNHq54ON3zlk8ev4ba9j5HgAQ5eAySy9H382oGG3BsFvZEf8OgMULH1VqHZAZOYlAldEg2QVTFhMCvlMagvRFdyABmMhqGdxTduykabWQ1BFjoT5gMj3cGggwcD3qsoMlu2iAwlAEZBOctbWSQBegkVN7NBIWhphMydywv4tkjyCFREDArkarKqBZplxudngudBoPnkhVR36vSHpI8Hp7PzBIbYGJH8H6RSmPaxXGCEaRtQGi5ovV7jenAgxOeYNSvAdAfZsLtj4KZuYLRiNdNv9sx9P49Jmo0HftwGDg5kmYpUNPHl65KuF9BvNfKyLj6PTSOpZLfrhmJkCcv9xXNqeGBgsA3hVHYCbZA5BbMuacNdzasut

C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\apppatch\en-US\9e8d7a4ca61bd9

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (322), with no line terminators
Category:	dropped
Size (bytes):	322
Entropy (8bit):	5.8282000088160935
Encrypted:	false
SSDEEP:	6:VQVaVGYMJbXOrL+WadvN3bhLMrA02Y4qKkeIUtaDCgWDKh4VaXqeJEGoiYt9gSAE:Ceober0N3bd49ckeIUADCC4ViqyE2g
MD5:	37AA3B273E93FE5EE54325E6BC49D61B
SHA1:	EA0F219B928665700753872F30D2C88FDF6A7161
SHA-256:	4375AACD59307D3C6679E9362EBF47DEB187396C53E8679E0EE412CA611FA308
SHA-512:	D4DD455D237ECF76DB515D758305F82049200D222B5384B703BBB2835E433EA234983C419BEFAB52653F7D234132FE457B269863339B9396A393547C983E42EE
Malicious:	false
Preview:	e1uwjMiOd1UAIQR6BHpFpBsbI3s3c8i6uVNkTMjiq5HGm6rzJ203J5ocJTnpepwfSXPxDrnziHYt4lyMM3tjHpxzqvbAj4DAJlxOq3vcPBVCg4hheadl6MYnkaGSQmPoDXjSxjgSHRUFTvSwN3fIabE7NKoQxdMmwr8JVPt44Leo1STyHUEWHHNlSlEn5QenFrTmwJb7JkNP7aF51zIcYzfodX0tKG9oq0jJ9qC73GMg37n2gJwGHBOPMoIZSrxDljjG055KwKjRm8vft8NAU2golT7VimpLTJ5TYgBkOlT7c7nO2mpUewssD4fh8klKfY

C:\Windows\apppatch\en-US\RuntimeBroker.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\apppatch\en-US\RuntimeBroker.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\security\database\93b40338b961c8

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with very long lines (441), with no line terminators
Category:	dropped
Size (bytes):	441
Entropy (8bit):	5.820658622131583
Encrypted:	false
SSDEEP:	12:LIw+QVZdcoTYpJExi8xuQOwgwO9z5oKBxKiO8jn:LkQ3dLUzEBNgR9z2Q1O8j
MD5:	D5AD69BD67376532C7C4129C2D04C70C
SHA1:	D4F1FF528DA61FB20AF1C70AE3DDF3B337868B86
SHA-256:	D1D7CAC3DAEE3F9427C6BA8975CC4698065E5BFE27BC21799E504D664F560C24
SHA-512:	2959222E5A136AC8477DA1EF13072C3E47179D336088F5E55D4E47A6524989A599E69CD0F0D4ECA07E92CB485FF87471F8E97538717230B4F24A7F091A4043C9
Malicious:	false
Preview:	MQeBeln9JbD9KLbfdX29AJds00QIqNKsaB0LmKcBJsZHIpfgAad6yhaDwwLnVfT6QViIVQ2S500RtWjKUtHQtO43kwY09yqoZd0xHXKuhKA7rJUaMASlXDMCboij1CTHKM2PfwD7iXsjN6Mbc8n8fEQWRyVcyl2f03weRE4a7UCAUnyecHG3YVlF5f8rakI6eNsUKrJXDNAKCQBo91Arf9GfRqjvGNAWLFfG4eUu7szKUbDoeTrjjabfHMCdHXR0Nn86v5tegPuwJ5L0m5RwfawunA9rb0mkb87qcH2ikNCUqpWLBM0MGeVw0NSv6BCqnKUK8eYfCsMRYcE8nyqPAZe7nLzOyHmiKWrgULNhyUKXRDXYJTHHVxpNqXhxpJr4FnHCvhoclJbpPGpjxbEe9eNXqe06oZ1onPRo6VmmppgLVA7js79NFM4lZ

C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	849408
Entropy (8bit):	6.082450267000895
Encrypted:	false
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
MD5:	2708091AC73983D30F58E73C7681D035
SHA1:	80637B1CC318A9795F6EDC1E541A1E2CB8EE2A90
SHA-256:	DF2B9BC2925339734C17D5AC782C4E3829F1C8136D428462AF477ACCA2517584
SHA-512:	9EE5EE845742747683F9624096F5318C668AAD90ACCA859AED95EB99BC8ADFDAFD865CBAF15A931ACF76E53C18E60B349130D8950B2AFC5ED5446A7D5CC5439F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......>.... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\security\database\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.082450267000895
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	RlZ57mJ5Ug.exe
File size:	849'408 bytes
MD5:	2708091ac73983d30f58e73c7681d035
SHA1:	80637b1cc318a9795f6edc1e541a1e2cb8ee2a90
SHA256:	df2b9bc2925339734c17d5ac782c4e3829f1c8136d428462af477acca2517584
SHA512:	9ee5ee845742747683f9624096f5318c668aad90acca859aed95eb99bc8adfdafd865cbaf15a931acf76e53c18e60b349130d8950b2afc5ed5446a7d5cc5439f
SSDEEP:	12288:dyUvalAP4Un838iQqGImu7WCh8wakorqbHGEVCtREg:xn7n83rjmuCCfBLGWCtREg
TLSH:	3605F7027E44CE21F01D1633C2EF494887B4AD516AA6E31B7DBA376E55123A73C0D9EB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rb.....................6......>.... ........@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4cda3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6272A3D7 [Wed May 4 16:03:35 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcd9f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcba44	0xcbc00	15ce7200cd54495aa1b70014147d8c4c	False	0.5058605732361963	data	6.122411048490076	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xce000	0x2fdf	0x3000	f2eae18320a88665cf2b6fa107616a9f	False	0.31005859375	data	3.243016931866706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd2000	0x218	0x400	a0eb98cfbb72fea7cf0984384d7b3371	False	0.263671875	data	1.8371269699553323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd4000	0xc	0x200	d42e8cf29b4bf769ed14dc222a30731e	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd2058	0x1c0	ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	English	United States	0.5223214285714286

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-14T01:57:01.248593+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	49704	141.8.192.169	80	TCP
2024-10-14T01:57:21.964174+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56369	141.8.192.169	80	TCP
2024-10-14T01:57:26.710004+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56398	141.8.192.169	80	TCP
2024-10-14T01:57:38.645591+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56474	141.8.192.169	80	TCP
2024-10-14T01:57:41.943581+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56496	141.8.192.169	80	TCP
2024-10-14T01:57:51.407580+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56551	141.8.192.169	80	TCP
2024-10-14T01:58:06.455264+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56594	141.8.192.169	80	TCP
2024-10-14T01:58:15.999683+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56595	141.8.192.169	80	TCP
2024-10-14T01:58:28.190524+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56596	141.8.192.169	80	TCP
2024-10-14T01:58:40.144339+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56597	141.8.192.169	80	TCP
2024-10-14T01:58:47.009650+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56598	141.8.192.169	80	TCP
2024-10-14T01:58:55.765504+0200	2034194	ET MALWARE DCRAT Activity (GET)	1	192.168.2.5	56599	141.8.192.169	80	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 01:57:00.476105928 CEST	59207	53	192.168.2.5	1.1.1.1
Oct 14, 2024 01:57:00.532386065 CEST	53	59207	1.1.1.1	192.168.2.5
Oct 14, 2024 01:57:14.890665054 CEST	53	58103	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 01:57:00.476105928 CEST	192.168.2.5	1.1.1.1	0x3cd	Standard query (0)	a1040171.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 01:57:00.532386065 CEST	1.1.1.1	192.168.2.5	0x3cd	No error (0)	a1040171.xsph.ru		141.8.192.169	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:56:53
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\RlZ57mJ5Ug.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\RlZ57mJ5Ug.exe"
Imagebase:	0xd90000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2077905139.000000000360D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2077905139.0000000003181000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:56:53
Start date:	13/10/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff669820000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\fontdrvhost.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\fontdrvhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Recovery\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\fontdrvhost.exe
Imagebase:	0xa0000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.2161833890.0000000002541000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Recovery\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Recovery\fontdrvhost.exe
Imagebase:	0xe50000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000009.00000002.2161298870.00000000031D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000009.00000002.2161298870.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	19:56:54
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	19:56:55
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	19:56:55
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ctfmon" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:56:55
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\common files\ctfmon.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 14 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Program Files (x86)\Common Files\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\common files\ctfmon.exe"
Imagebase:	0x2b0000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.2161568814.0000000002618000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001B.00000002.2161568814.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:56:56
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Program Files (x86)\Common Files\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\common files\ctfmon.exe"
Imagebase:	0x10000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.2162507058.00000000022E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001D.00000002.2162507058.00000000022A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\assembly\lcSuFJtLNWPBXChyfo.exe
Imagebase:	0x540000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2161409046.000000000287A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.2161409046.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe"
Imagebase:	0x790000
File size:	849'408 bytes
MD5 hash:	2708091AC73983D30F58E73C7681D035
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000021.00000002.2161212488.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 12 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfol" /sc MINUTE /mo 10 /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	19:56:57
Start date:	13/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "lcSuFJtLNWPBXChyfo" /sc ONLOGON /tr "'C:\Recovery\lcSuFJtLNWPBXChyfo.exe'" /rl HIGHEST /f
Imagebase:	0x7ff635e10000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF848F4B3ED Relevance: 3.0, Strings: 2, Instructions: 496COMMON

Download Yara Rule

Strings

NH, xrefs: 00007FF848F4DFA4
p\H, xrefs: 00007FF848F4E012

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: NH$p\H
API String ID: 0-1232786254
Opcode ID: f5581ec08d657e442356a7d52797eeed9b349e44ade3f486a34f2d7dec5a7e5f
Instruction ID: 62b86fc4560ba7599698abe4bd80b64d698c27321ad01e2e6e94571700f19e73
Opcode Fuzzy Hash: f5581ec08d657e442356a7d52797eeed9b349e44ade3f486a34f2d7dec5a7e5f
Instruction Fuzzy Hash: 95027C31D1965A9FEB98EB68C4557B9BBB1FF68750F0400BAD00EE32D2CB386944CB14

Function 00007FF848F43440 Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F4386E

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: b3ed67cae6ce30fc12d029dc9a3947b4528144b640021a2fdac50b60c738c06c
Instruction ID: 6d82be6dd78945d7727155cfb995f5f8457798bd353bedab3d6070b8e4bad49d
Opcode Fuzzy Hash: b3ed67cae6ce30fc12d029dc9a3947b4528144b640021a2fdac50b60c738c06c
Instruction Fuzzy Hash: 97F1B071D1DA8E8FEB45EB2888587A9BBE0FF5A750F4401BAC008D72D6DB786844CB05

Function 00007FF848F43580 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F4386E

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: dae3b3f68b58851a49532fc01eb6bb511613f20c60497f65a2acc18be4dae808
Instruction ID: af8075f5f0ae846faf7463f5e00b98405f57e08b4267ae1ed6897dfd91809a94
Opcode Fuzzy Hash: dae3b3f68b58851a49532fc01eb6bb511613f20c60497f65a2acc18be4dae808
Instruction Fuzzy Hash: 57D1AB7191D94E8FEB84EB2CC858BADBBE1FF59750F5001BAC009E72C6DB7868458B05

Function 00007FF848F4A380 Relevance: 1.1, Instructions: 1146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bcf16c4895fd1cdab47aebad835877f5d81c71682fadac8c6fffd3d349a09a
Instruction ID: a23e5b70d4dfd5d65b759f1fbff2542192f5c535d2bc0d789f60ef83c1f78287
Opcode Fuzzy Hash: e5bcf16c4895fd1cdab47aebad835877f5d81c71682fadac8c6fffd3d349a09a
Instruction Fuzzy Hash: ED828D3090D6898FDB86EF2888596B97BF0FF2A301F1505BBD409D71A2EB38A585C751

Function 00007FF848F4CE00 Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0a0fa42cd64964e5df5f6556271a88124934131de70d9620ffb56329c44e49e
Instruction ID: 2268908d19e82c0ceca7eda3720bcd0c70604b17cc77ced6a0676f10744918d6
Opcode Fuzzy Hash: c0a0fa42cd64964e5df5f6556271a88124934131de70d9620ffb56329c44e49e
Instruction Fuzzy Hash: B1527B3090D68E8FEB95EF2888596EDBBF0FF19300F1415BAD409D7192DB38A946CB45

Function 00007FF848F4CE08 Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7906f9ac0db49c5d02cd5d2df6fb8b0bcdd9a82c0418691592146ff18a5850
Instruction ID: 07ed522395301e9328ab5e09389fd1dbeb4b418c01c2f206fcbebbf3711bc458
Opcode Fuzzy Hash: 7f7906f9ac0db49c5d02cd5d2df6fb8b0bcdd9a82c0418691592146ff18a5850
Instruction Fuzzy Hash: F4426A3090D68E8FEB95EF2888596EDBBB0FF19340F0416BAD409D71D2DB38A945CB45

Function 00007FF848F4CE18 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2074cb19a44fde77acddf9b1f000b248b7d2356e5d457824ab1b79a7801415f7
Instruction ID: 658eda2c730a78158186ecef0aa8c6409defddcd5c68056b3e7463e24fd8fd6c
Opcode Fuzzy Hash: 2074cb19a44fde77acddf9b1f000b248b7d2356e5d457824ab1b79a7801415f7
Instruction Fuzzy Hash: 7B225930D0D68E8FEB95EF2888596E9BBB0FF19300F1416BAD409D7192DB38A945CB45

Function 00007FF848F4CE10 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e7b832bf4898b31b7bb965c029ef5edc82845bf8bd2dce044e0b1db076e407
Instruction ID: a3429d9f0bac7c75fe68f96b3b82ba5cb5952f8a993727634f8cbd6201746251
Opcode Fuzzy Hash: 08e7b832bf4898b31b7bb965c029ef5edc82845bf8bd2dce044e0b1db076e407
Instruction Fuzzy Hash: 92028A3090C68D8FDB89EF2888592BA7BF0FF29304F1456AED409D71D2DB35A546CB41

Function 00007FF848F4B2CA Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec17cb54c2176d201e513c95242e9a48cca9d4735d94e0c35ac8c4da2e39468
Instruction ID: 34daa66f306c67e991b0fabc84c3b3a7fb34598644658dea05077705d4d9be99
Opcode Fuzzy Hash: 2ec17cb54c2176d201e513c95242e9a48cca9d4735d94e0c35ac8c4da2e39468
Instruction Fuzzy Hash: D1D19A3090C68A8FEB55EF6488596FEBBE0FF19341F1406BAD409D61D2DB38A944CB94

Function 00007FF848F4D027 Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

S/, xrefs: 00007FF848F5BF8E

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: S/
API String ID: 0-3732318034
Opcode ID: a874632882674d14ab237b594cff0a3390a9e2982fe8cec3dee08a6842ac5fce
Instruction ID: 5473bd5b2c185559aa432c55ab0c23976edf4e61b62409b633b6c340ee934248
Opcode Fuzzy Hash: a874632882674d14ab237b594cff0a3390a9e2982fe8cec3dee08a6842ac5fce
Instruction Fuzzy Hash: 58D12A3096D68A9FEB56AB7488592E9BBF0FF15340F0405BAD848C61D3EB38A548C745

Function 00007FF848F4CE51 Relevance: 1.6, Strings: 1, Instructions: 340COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F4CF39

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 4854d1dbb7b070ec9ac92a93b5cb692864e0a6ac17c6795918ba8cc3ddd49b5a
Instruction ID: 66155fd01a7427e88f3a5798d77eccce73006efa5008273933ae3901816285cb
Opcode Fuzzy Hash: 4854d1dbb7b070ec9ac92a93b5cb692864e0a6ac17c6795918ba8cc3ddd49b5a
Instruction Fuzzy Hash: 89A12732A0D65A8FEB55BB68A8141FE7BB0FF553B0F0416BBD408DA1C2EB3C64458764

Function 00007FF848F4CD45 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

[wK, xrefs: 00007FF848F4CD5F

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: [wK
API String ID: 0-3402020622
Opcode ID: 90bbf438b31cbdb7022148d0f1917b5573574613299a8062d2b2f1e8334fa345
Instruction ID: d26807020f6c76a2d824d780775d36a1b7435450868fec602a6281f0120682a2
Opcode Fuzzy Hash: 90bbf438b31cbdb7022148d0f1917b5573574613299a8062d2b2f1e8334fa345
Instruction Fuzzy Hash: B191EF3190E68A8FEB45BF28D8152FE7BA0FF55355F0401BAE448CA0D3DB38A854C799

Function 00007FF848F4CD48 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

[wK, xrefs: 00007FF848F4CD5F

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: [wK
API String ID: 0-3402020622
Opcode ID: 3ade9b174bed33f8b7750fd68257049e8cc402091a043ce45661baafd30d47f7
Instruction ID: 83a3f0595ea74d18bf71bb03021083a51993caf630bc59641f16b6bdbe0d5290
Opcode Fuzzy Hash: 3ade9b174bed33f8b7750fd68257049e8cc402091a043ce45661baafd30d47f7
Instruction Fuzzy Hash: F791D03190E68A8FEB95BF28D8152FE7BA0FF55355F0401BAE448CA0D3DB38A854C795

Function 00007FF848F4122D Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F4129D

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 1ce7492642262031fbaa3d5a7e27d73840e4f7692ac1bddb832853f7e79bc89e
Instruction ID: f798476a54ffbea60df3291c40147316dbf929d89cb788f398ec4445fab518de
Opcode Fuzzy Hash: 1ce7492642262031fbaa3d5a7e27d73840e4f7692ac1bddb832853f7e79bc89e
Instruction Fuzzy Hash: 72819A30D0C65A8FEB84EB68C8582F97BE0FF69751F04017BD409E71D2EB28A884CB54

Function 00007FF848F4294D Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

L_^7, xrefs: 00007FF848F42A83

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: L_^7
API String ID: 0-199460033
Opcode ID: 13240d83cd130a430ccff14822ded67cb762f52faa4cec9c152ba1c639a7f68b
Instruction ID: 3b906994fa03b04c8c8566c68a914cbb5f186e8e8e4c9a9eebd20ee0cfd206d3
Opcode Fuzzy Hash: 13240d83cd130a430ccff14822ded67cb762f52faa4cec9c152ba1c639a7f68b
Instruction Fuzzy Hash: 7851BA2661E6539AD3027BBCB4910E57B60EF422B9B484773D0C8CD097CE2D604A83E9

Function 00007FF848F4CD3D Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

<J_H, xrefs: 00007FF848F5E8EF

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: <J_H
API String ID: 0-2744129578
Opcode ID: 69cfc410b008fea0a078fef4b7ef5fabeed3972305b77f37e1cbfe37fefea6c5
Instruction ID: 9fa3ff6ea32a9a087253d37f0367f39a8334eec1c29b4fad227024790c2accdc
Opcode Fuzzy Hash: 69cfc410b008fea0a078fef4b7ef5fabeed3972305b77f37e1cbfe37fefea6c5
Instruction Fuzzy Hash: 95510670E08A299EEB94EB68C8957EDB7B1FB58341F50017AD00DE32C2DF386985CB55

Function 00007FF848F41240 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F4129D

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: f4e4f455cee8e04c071d560667e0bee4ac55bddfcfb0ba93c5e6866380526a81
Instruction ID: fe21628b520d4455e8e335379ee676de93ee180fcef19fd3711d187981dfb38d
Opcode Fuzzy Hash: f4e4f455cee8e04c071d560667e0bee4ac55bddfcfb0ba93c5e6866380526a81
Instruction Fuzzy Hash: E331C070D0DA6E8FEB98EB68C8192F977E0FF69751F04017BD409E31D2EB24A9848750

Function 00007FF848F4B40D Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b30c50481876d69f0de85a90ed0949a9a80e52c8ec1ba3df7830973c620d45e7
Instruction ID: 5014ff87664db4e1031c5560ed618d8019ecdaa8d9b4d4fb61de550bc35c27c7
Opcode Fuzzy Hash: b30c50481876d69f0de85a90ed0949a9a80e52c8ec1ba3df7830973c620d45e7
Instruction Fuzzy Hash: 3FF1DC3091D68A8FEB51EB6888586F9BBE0FF25750F0405BBD408D70E3EB38A554C745

Function 00007FF848F4CE38 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c81465d14a7dfb0948081685e2546693241d7005a217a49f05c8555277d604
Instruction ID: 343bb402d2955bb7bc79799f825ab6d6bef1c7c1a2c582eed59434101d09af2f
Opcode Fuzzy Hash: 46c81465d14a7dfb0948081685e2546693241d7005a217a49f05c8555277d604
Instruction Fuzzy Hash: 4DE16A30D0D65E8FEB99EB2888556EDBBB0FF19300F1015BAD40DE71C2DB3869868B45

Function 00007FF848F4CE40 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0173909d1b403ceacd54a7b689a508cc41b700b49bd72556bd887c36a7812aeb
Instruction ID: cb462cac35b9d9ae35330f4cd9e8c84abcf58929c46b656bd91a40f26a795d27
Opcode Fuzzy Hash: 0173909d1b403ceacd54a7b689a508cc41b700b49bd72556bd887c36a7812aeb
Instruction Fuzzy Hash: E2E16930D0C65E8FEB99EB2888556EDBBB0FF59300F1016BAD40DE71C2DB3969858B45

Function 00007FF848F42D40 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6441f46ac455aafee602f0dc715ad021d5564334d59f1fc5aa546285b23ec4b
Instruction ID: 8de7efb49733268c1979f72e66f4c68ea55507b8c2325164529a20c6a7eabdb2
Opcode Fuzzy Hash: f6441f46ac455aafee602f0dc715ad021d5564334d59f1fc5aa546285b23ec4b
Instruction Fuzzy Hash: 8DC1BD3090D68A8FE752FBB888596BA7BE0FF29751F0405B7D409D70E2EF38A4448714

Function 00007FF848F42155 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f389c74d62b132fb2f36a38583b20a2a720ba3ecfaa77fa43e2bd9dc777e2a
Instruction ID: fd770d31280664780ff3ef32b223a77e1a7a92c12a82c437979fbabde0b76d33
Opcode Fuzzy Hash: 69f389c74d62b132fb2f36a38583b20a2a720ba3ecfaa77fa43e2bd9dc777e2a
Instruction Fuzzy Hash: 85D1BB30D0D65A8FEBA5EB6488557B8B7A0EF65740F0001BBC40DE72D2DF386985CB54

Function 00007FF848F4B1F5 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3594a9abaaca8a99373b246ef601c6812e348c920e33e9ea36b1726cb01a73f9
Instruction ID: 19bbdca27adb7fa994c46a48688ab90b5b1f0bec815b2fd78dcba16d053c26d3
Opcode Fuzzy Hash: 3594a9abaaca8a99373b246ef601c6812e348c920e33e9ea36b1726cb01a73f9
Instruction Fuzzy Hash: 29D11530D0965ACFDBA8EF68C4556BDB7B1FF99341F1400B9D40EA3292CB386881CB55

Function 00007FF848F63EA0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43293484486c28efa80b9713e414232c55adaa07947dd7eb736ed3fd36a98ce3
Instruction ID: 43467f45677ddc14f76414aff33ab2f1ef03eb9c976ef6471b45f418568a349a
Opcode Fuzzy Hash: 43293484486c28efa80b9713e414232c55adaa07947dd7eb736ed3fd36a98ce3
Instruction Fuzzy Hash: D6C17930D0C65D8FEB99EB28C8556EDBBB0FF59300F1012BAD40DE7282DB3869858B45

Function 00007FF848F63F10 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ae305e60f9dc1e6121fd158186e5626040ee2fb729b2823e5934a685729a39
Instruction ID: 789ccca0c166d3f8b97cf07bb27ba1b372deaf5970d4a3f469f8de0102e3c9df
Opcode Fuzzy Hash: 93ae305e60f9dc1e6121fd158186e5626040ee2fb729b2823e5934a685729a39
Instruction Fuzzy Hash: EFC15630D0C61E8FEB99EB68D8456EDB7B0FF59300F1012BAD40DE7282DB3869858B44

Function 00007FF848F41B85 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74956c1cffe1e878287dcc49adc2ed2e2ac5f57528b49cfdd7521d49621f1af
Instruction ID: 041eaead90993ce1ecbac9e0a9dc909d2260f5cd8ed2fd322e2dbd7e5eaa7eb6
Opcode Fuzzy Hash: d74956c1cffe1e878287dcc49adc2ed2e2ac5f57528b49cfdd7521d49621f1af
Instruction Fuzzy Hash: 49A10031A0CA998FDB59EF2888551BA7BA1FFA5740F0401BFD449D72D2DB34A882C745

Function 00007FF848F42CE8 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4c4a7e4e9d4f7209cf0e1369fe0aba0ad8a3ba09781a2a6900f2d3a5d5b9b86
Instruction ID: 05f638d290c660dae584798298e4966f2cf5068e5c70d8c4037845aab669fa09
Opcode Fuzzy Hash: d4c4a7e4e9d4f7209cf0e1369fe0aba0ad8a3ba09781a2a6900f2d3a5d5b9b86
Instruction Fuzzy Hash: 32A1CF3085E68A8FE792BB7888591FA7BE0FF25750F0416BBD409D60D3EB38A148C715

Function 00007FF848F51100 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8bffdbc15a9dcbfc17598f57c39723a9e26da59f92f603fb07135bf70ff2f0
Instruction ID: ad39b9e1d141a627883afb4c36754307155b6925e0a4800247933eb24d00f4b0
Opcode Fuzzy Hash: ae8bffdbc15a9dcbfc17598f57c39723a9e26da59f92f603fb07135bf70ff2f0
Instruction Fuzzy Hash: 0EB16A3080D68E8FEB95EF2488592FEBBB0FF19345F0405BAD419D7192EB38A584CB45

Function 00007FF848F41748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bb64d4b8e44512899500f031c4c6357ae4fe0752164071f058961cb604f2d4
Instruction ID: ad46f348b80e19a886b011fee0b504a73cbc4069c2885c89c796cea61dff275a
Opcode Fuzzy Hash: 23bb64d4b8e44512899500f031c4c6357ae4fe0752164071f058961cb604f2d4
Instruction Fuzzy Hash: B181CC31A0CA598FDB98EF1C98516A977E2FFA8B50F14017AD44DD32C6CF34AC428785

Function 00007FF848F405F0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5daae7d93e76b732f2d9776d4d36870191ffc069b06326e2d94bb65c294c2170
Instruction ID: 30fd5e3669372a6b36c9a1018b68c846b8828a906400b4134d7e102a09fce771
Opcode Fuzzy Hash: 5daae7d93e76b732f2d9776d4d36870191ffc069b06326e2d94bb65c294c2170
Instruction Fuzzy Hash: 3D81CF30A0CA998FDB49EF1888555BA77E1FFA8740F10457ED40AD32D2DF35A882C784

Function 00007FF848F52870 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48715aa71a0874d0ab516cb19b909c450298bd46dea158acc2902ccec9e2b86a
Instruction ID: 8fe70cc0c6fab0fbb73db8ec9582fc26534ad99fd523972d8be898a57673dd29
Opcode Fuzzy Hash: 48715aa71a0874d0ab516cb19b909c450298bd46dea158acc2902ccec9e2b86a
Instruction Fuzzy Hash: DAA1593090964A8FEB54EF68C8496FEBBF1FF58345F10467AE409D3292DB38A544CB54

Function 00007FF848F42CF8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75e5b49bf5f0cc08d8f16218b225d87bfc7956425cdd96da6de00a9bb0db37e
Instruction ID: f5f90c6397c0bd8dcd3ada9c635f466a42013e355afe3d5259b0abd5c5a377c0
Opcode Fuzzy Hash: e75e5b49bf5f0cc08d8f16218b225d87bfc7956425cdd96da6de00a9bb0db37e
Instruction Fuzzy Hash: 6191A03085E78A8FE792BB7888191FA7BA0FF16750F0416BBD448D60D3EB38A548C755

Function 00007FF848F4C488 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 901abc51ec7d30e9aaf026711fa438a3e6fac0d26ef4feaf7fb62b9865c46a1d
Instruction ID: c5f1feab3e27c1d484dcaf96a5bd5178d60eb5f42c0879b7d4f50add5d05ec35
Opcode Fuzzy Hash: 901abc51ec7d30e9aaf026711fa438a3e6fac0d26ef4feaf7fb62b9865c46a1d
Instruction Fuzzy Hash: C091A33084E78A8FEB56AB3488282F97FB0EF26740F0516BBD449D61E2EB389544C755

Function 00007FF848F41C59 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac96f4b82d3b792e335ba6f125c6cd77b616c7b0ceb467f4ad41c06cf6b3df
Instruction ID: 633e777a7733ef46075c94d71c341b8e4b01d8346043dd274f6b65c7edf663e3
Opcode Fuzzy Hash: 58ac96f4b82d3b792e335ba6f125c6cd77b616c7b0ceb467f4ad41c06cf6b3df
Instruction Fuzzy Hash: 4B81DF30A0CA9A8FDB49EF1888555BA77E1FFA9750F14417ED409D32C2DF35A882C785

Function 00007FF848F4C540 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7955552554f6a9483635fe50a79193a34bbd7d3fe56528f28a6ac242b5d24327
Instruction ID: 9e842bc6b545f9d5cdcfb0ff1432c60b06aa5f044f4c297c2bc35bb51ca497a3
Opcode Fuzzy Hash: 7955552554f6a9483635fe50a79193a34bbd7d3fe56528f28a6ac242b5d24327
Instruction Fuzzy Hash: F6919A3090D68E8FEB45EB2488582B97BE0FF29301F1405BBD409E71D2EB39A944CB55

Function 00007FF848F40A01 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55b317f547e777d416df7fa9bb36ca0b11ff56b42dfedb666f3bcb535c41470
Instruction ID: b3fde77feac518c4dfa28f7a71691559e474bc0e500806dc4b4ae7f468f9f850
Opcode Fuzzy Hash: a55b317f547e777d416df7fa9bb36ca0b11ff56b42dfedb666f3bcb535c41470
Instruction Fuzzy Hash: 6E81AD3090D68A8FE791FB2488592F97BE0FFA9750F0445BBD808E71D3EB38A5448B45

Function 00007FF848F59568 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cccb8d98ee0b2ab1a0c65fa1f3b8a5daab290a964d1f00ab71099c0da57a1531
Instruction ID: ea45e79da86da322f45e582e10a39971a378b8418458ef40fd878b9106672bd5
Opcode Fuzzy Hash: cccb8d98ee0b2ab1a0c65fa1f3b8a5daab290a964d1f00ab71099c0da57a1531
Instruction Fuzzy Hash: B491693090D68A8FEB45EF2888596FE7BE0FF28341F1046BAD409E7192DB39A545CB54

Function 00007FF848F4BF7A Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04a54d29426c8a24c5d1f9a4b2b856d1a0fd52d47513607aea80b7a49cd189e
Instruction ID: 4f57d63c5e50d08691f8d44495c96e2e33457375bd11865c5fd5ae14d9842229
Opcode Fuzzy Hash: f04a54d29426c8a24c5d1f9a4b2b856d1a0fd52d47513607aea80b7a49cd189e
Instruction Fuzzy Hash: C881AE3085D78A8FE796AB7488192F97FA0FF26740F0515BBD808D60D3EB78A548C705

Function 00007FF848F59560 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f569ae4c85b08c4a67552b7052244b45305063c075d965d1b7a3a848b4fc5a07
Instruction ID: af540b7c8fdb8aba25b2f58887474b489e9e9846ff8e97456b15f2ff25bba3f0
Opcode Fuzzy Hash: f569ae4c85b08c4a67552b7052244b45305063c075d965d1b7a3a848b4fc5a07
Instruction Fuzzy Hash: 83819A3080D68A8FEB55EF2488592FE7BE0FF29301F1406BAD409E31D2DB39A545CB85

Function 00007FF848F4B28D Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bad2a1714811196c169e585da713e1794fff16bae9b7d7212ed8aa72076d647
Instruction ID: a0b1528a724d6042808f6e4a3c7e272d456df923374cc9383b041768692e57a3
Opcode Fuzzy Hash: 1bad2a1714811196c169e585da713e1794fff16bae9b7d7212ed8aa72076d647
Instruction Fuzzy Hash: D4915B3090D78E8FEB95EF2888592FEBBB0FF15345F0405BAD858D6192DB38A584CB45

Function 00007FF848F42AB8 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc5c7837800662fb76920070f68278d0aaa9c7221bcc17b16de41d515dafede
Instruction ID: 4759620ad6c1df3601c1d28e155c71796bc44a39d56b73a295866a722b90916b
Opcode Fuzzy Hash: dfc5c7837800662fb76920070f68278d0aaa9c7221bcc17b16de41d515dafede
Instruction Fuzzy Hash: CC819C30D0EA8A8FEB95EB6898292FDBBB0EF45354F0445BAD409C61D3DF386944C749

Function 00007FF848F59548 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6969c5fa04ed251cd1c36bee792b756a8d91134016921c5ae876c730d669a3b6
Instruction ID: d9b0f030d4b4db5006d401a43531f02f26427de8d1fc6e10e8d7c8ffa995095c
Opcode Fuzzy Hash: 6969c5fa04ed251cd1c36bee792b756a8d91134016921c5ae876c730d669a3b6
Instruction Fuzzy Hash: 9B81693090C68E8FDB85EF2888596FABBE0FF29345F1046BAD409D3192EB35A545CB45

Function 00007FF848F405D0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe676d411e2bcd76c0a904fa1f1709412ce74d41e51b6e7d2832915a4c11097c
Instruction ID: 2016cc0cd52c26277b40df1986e21847b4a593f0b8cb3b2ccbf1512a6dec8d63
Opcode Fuzzy Hash: fe676d411e2bcd76c0a904fa1f1709412ce74d41e51b6e7d2832915a4c11097c
Instruction Fuzzy Hash: B961B031A0CA9A8FDB49EF1888555BA77E2FFA8754F10417ED449D32C2CF35A882C785

Function 00007FF848F4CE1D Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded4a50ddd7c199fb6abc66f6ba4fca1a5ff0eb4729fb32730dc8affe2b17a52
Instruction ID: 831a3e753caa314dd7e127d0d2c004d1d3c591d1016b3b7625f22dc9660838de
Opcode Fuzzy Hash: ded4a50ddd7c199fb6abc66f6ba4fca1a5ff0eb4729fb32730dc8affe2b17a52
Instruction Fuzzy Hash: E4719B30A0C6098FEB45EB68C8186EEBBF0FF19340F1006BAD409E7691EB38A545CB54

Function 00007FF848F42AD8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a3711eee57f100536a7dec2559b8d494cd3ed35ad911f0861ee254d330ec9f0
Instruction ID: 319618e793cca596a197f240fbb5780a08b9e8311aac4085e439e7209fbc4b32
Opcode Fuzzy Hash: 7a3711eee57f100536a7dec2559b8d494cd3ed35ad911f0861ee254d330ec9f0
Instruction Fuzzy Hash: 33717D30D0DA8A8FEB95EB6898192FDBBB0EF15354F04457AD409C61D3DF386944C749

Function 00007FF848F4BFE8 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f109fdf12681695fc91ceef159ccab64290add612cbd590db0d0a239314717ad
Instruction ID: 0cfe31f59997610457960e4b67f72e77fc8fa9eb9cc05b83fa3051e927392607
Opcode Fuzzy Hash: f109fdf12681695fc91ceef159ccab64290add612cbd590db0d0a239314717ad
Instruction Fuzzy Hash: E861BF3085E78A8FE796AB3888592F97BE0FF25740F0415BBD409D60D2EB78A548C705

Function 00007FF848F4C538 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af28eaae6b05e30a1d803c4748f98c19a046ee8d85e9935e3569dbc21a64624
Instruction ID: faee97f4e63724dfcd5de76f5db01b1819a5182a3d3b45129453a137a4db79a9
Opcode Fuzzy Hash: 3af28eaae6b05e30a1d803c4748f98c19a046ee8d85e9935e3569dbc21a64624
Instruction Fuzzy Hash: F8719F3081D78E8FEB56AB2488182FD7BA0FF25741F0416BBD419D61D2FB38A944C745

Function 00007FF848F431E0 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce816f34e889d86ef6334310c82c6d992b358e996d55029d23577d0ecd86cf2d
Instruction ID: 96961a8959bfec61aa8a51e0f08390f1e9c0664a9df6d864f12c4e321fbc27dd
Opcode Fuzzy Hash: ce816f34e889d86ef6334310c82c6d992b358e996d55029d23577d0ecd86cf2d
Instruction Fuzzy Hash: 4C611530D0960D8FEB54EBA8C498AEDBBF1EF68741F10407AD409E7292DB38A944CB54

Function 00007FF848F4C06A Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85376322bc0444e7b06a4c2e7ee4efe3ee790450c2e207455eaa2493ee4b7356
Instruction ID: 72cd9600e7fa707ab85a9d79efc1978f690248fb85ca8b60a96aa25e3cd1e529
Opcode Fuzzy Hash: 85376322bc0444e7b06a4c2e7ee4efe3ee790450c2e207455eaa2493ee4b7356
Instruction Fuzzy Hash: 20518F3085D78A8FE796AB3488592F97FA0FF26740F0516BBD409D60D2EB78A548C705

Function 00007FF848F4C5A8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c0b408c12be272bd3b625370199e1c23232416a47639996e35ccdbf5c51326
Instruction ID: 3a4c411201111170c3d49ad00c8a498eb5a857845cfa505b6b4c21c65004687f
Opcode Fuzzy Hash: 99c0b408c12be272bd3b625370199e1c23232416a47639996e35ccdbf5c51326
Instruction Fuzzy Hash: C7517D3090D78E8FEB55EF2488182F97BA0FF25741F0416BBD419E61D2EB38A954CB45

Function 00007FF848F4CDF5 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f2bc21a671a86888c34959388738a68cf1cae88b9d9d51b15f7a688a0f353b
Instruction ID: d51231f115608bfbe331f63e1cadd7af4a2786951996c340b92c43c8ac19d514
Opcode Fuzzy Hash: 53f2bc21a671a86888c34959388738a68cf1cae88b9d9d51b15f7a688a0f353b
Instruction Fuzzy Hash: 79519E3090E68E8FEB59FF24C8592FABBA0FF55341F0405BAD809C61D2DB78A954C785

Function 00007FF848F41D79 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc9d09edb8bc9076eee32050952f8dfd7456f5639560c7422e67584f3ddbd5d
Instruction ID: 749f6351dc3665ecb40548800f8414fa47b30a89b286dfc5370897d98b63f9ab
Opcode Fuzzy Hash: 8dc9d09edb8bc9076eee32050952f8dfd7456f5639560c7422e67584f3ddbd5d
Instruction Fuzzy Hash: 9641AC31A08A598FDB4CEF1888556BA73E2FBA8755F10463ED45AD3285CF30E8428784

Function 00007FF848F43130 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c447b1a7b5cad500c9a4d79cb51ba758f1baac4aec2357dcd222783fdcbd98
Instruction ID: 2b96b35faa2bd719b67309cd95561bfb3c808e8732983da4116cbe85d4b0b47e
Opcode Fuzzy Hash: 76c447b1a7b5cad500c9a4d79cb51ba758f1baac4aec2357dcd222783fdcbd98
Instruction Fuzzy Hash: EC51DF30C0E68A8FE756EB7888586F97FB0EF66340F0545BBD409E61D2EB38A644C715

Function 00007FF848F42EC9 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a839832f69c1e3b63c1eb548a7fd82a191a305a243df471accf6b509d38baa73
Instruction ID: c8c4b89321aabe77025be70c8bf2f84e18462336d26ef41f933ad1fbba44ac11
Opcode Fuzzy Hash: a839832f69c1e3b63c1eb548a7fd82a191a305a243df471accf6b509d38baa73
Instruction Fuzzy Hash: 1141E33091D68A8FE752ABB888192FA7BE0FF26750F0409BBC404D60D2EF78A548C705

Function 00007FF848F4C0D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67b90e4cfcaca15db2e663ac4bf89cf93385dadc883ac37c6b5689f78c6e259
Instruction ID: 2ff25e14207982bdfb9df819f53a90bb204e5ba9043ba7475991bfca74a72a11
Opcode Fuzzy Hash: c67b90e4cfcaca15db2e663ac4bf89cf93385dadc883ac37c6b5689f78c6e259
Instruction Fuzzy Hash: 1F417D3085D78A8FE796AB3488691F97BF0FF26740F0516BBD409D60D2EB78A548C705

Function 00007FF848F59550 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d952280083baaf73d96073dabcb3a0d979156417603459684d0442d40422d1f4
Instruction ID: 7547d4e90d2089d42b09191a98513d3d436a9a47e4223120af319741e8ea553e
Opcode Fuzzy Hash: d952280083baaf73d96073dabcb3a0d979156417603459684d0442d40422d1f4
Instruction Fuzzy Hash: 76415C3081D78E8FDB95EF2888495FA7BE0FF29345F0006BAE849D3191EB35A555CB41

Function 00007FF848F4C628 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249d0a3140be060579ba70888f83ada0998c9e660a243981d358f6404795dfe2
Instruction ID: a39b4172d99ad2b6fd9633d31e4be05e68d56bcd6e95db9b1369f5da3f99c635
Opcode Fuzzy Hash: 249d0a3140be060579ba70888f83ada0998c9e660a243981d358f6404795dfe2
Instruction Fuzzy Hash: E2418E3080D68E8FEB55EF2488182F97BA0FF15740F1416BBD419E21D2EB38A944CB85

Function 00007FF848F4C7C2 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dfb83258a9428b437c732433ac16bbe7096e6dfd7bb1d59306e4ef67562afec
Instruction ID: 75c5de7fe31572741f342f628fb15788b3061c5e6e2fe7cd1d17d4ea296e2efd
Opcode Fuzzy Hash: 4dfb83258a9428b437c732433ac16bbe7096e6dfd7bb1d59306e4ef67562afec
Instruction Fuzzy Hash: 2731A471E1C91D9EEB94FB989895ABCBBF1FFA8740F50112AD00DE3282DF3468418B44

Function 00007FF848F42F58 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac92d49ceace85b25e528550e856b4fd9999426318800cdddd9c9c3412f375cb
Instruction ID: 24f08bb0c6e958c5a20ba2587aac5d7c4cc561846f5b320962fff35f387545cd
Opcode Fuzzy Hash: ac92d49ceace85b25e528550e856b4fd9999426318800cdddd9c9c3412f375cb
Instruction Fuzzy Hash: B631C13191D68A8FE752BBB888192FA7BA0EF25790F440A77D404D60D2EF78A518C745

Function 00007FF848F4C83A Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ae1502c2937d85faebdaba50c7dcc26ec95b6c62425deabce01406deba2753
Instruction ID: 61b2a61b79f9e4c96637fc3ddb4246ba0f9c6c5b24d555e801980426522b5195
Opcode Fuzzy Hash: 50ae1502c2937d85faebdaba50c7dcc26ec95b6c62425deabce01406deba2753
Instruction Fuzzy Hash: 8A21B770E1C91D9FEB94FBA89855ABCBBB1FF69740F50112AD00DE3282DF3468418B44

Function 00007FF848F4C6A8 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc63c4b3663676986e67d7514c0af75cdff4c821701f0f3a5d36a4faae1a19ff
Instruction ID: 7003d7020ca192b90edb85c401df12c6c882dc27d0913253f3e6a6e04eb264ef
Opcode Fuzzy Hash: cc63c4b3663676986e67d7514c0af75cdff4c821701f0f3a5d36a4faae1a19ff
Instruction Fuzzy Hash: EF316B3090D68E8FEB55AB6488142FA7BE0EF15740F1416BBD419E31D2EB78AA44CB85

Function 00007FF848F404F8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1379f65faa9478174dff67f9ebcec9c323158e3f874257326136d3800e99150
Instruction ID: be60d0fabae345556192a08557dd2b6036a2fed254e46891f543e3e2549ae7af
Opcode Fuzzy Hash: a1379f65faa9478174dff67f9ebcec9c323158e3f874257326136d3800e99150
Instruction Fuzzy Hash: 95316B3091D64D9FEB45EB6488586B97BE0FF29341F1508BBD409D71E2EB38A544C714

Function 00007FF848F427C9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520e22db285680ad3eeecb1823c5bd06eb3e4582cac931e1ce6fa0e47b8ca3a0
Instruction ID: f5d6a335555c120f9e46b1e6aa862e5ba55ed87811c2c00ee11b10bd38545d71
Opcode Fuzzy Hash: 520e22db285680ad3eeecb1823c5bd06eb3e4582cac931e1ce6fa0e47b8ca3a0
Instruction Fuzzy Hash: 47218E3181E7CD8FEB56AF6488582A93FA0FF66741F1504BBD408C61E2EB38A458C751

Function 00007FF848F42FC8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fb70b2cffb64e1c9434e33a05c624a55a0874b312f7751a592b40f55583dbf
Instruction ID: bdb78e42fdf28e49868548da33b8237353aab5141fdeec8f129af7f83c56bc7a
Opcode Fuzzy Hash: e9fb70b2cffb64e1c9434e33a05c624a55a0874b312f7751a592b40f55583dbf
Instruction Fuzzy Hash: 8021DF31D0D68E8FE755ABBC8C156FA7BA0EF64B94F040A37C405D21C6EF78A118C644

Function 00007FF848F4C1C8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03739a1f2de89ba71c035d9ead9c9766467cb50c26aaa65bb5a4e983ce224450
Instruction ID: a8b502fc966f2113dd7b4d6d768a6e84b8899f09cf533bf4884527ea0e542559
Opcode Fuzzy Hash: 03739a1f2de89ba71c035d9ead9c9766467cb50c26aaa65bb5a4e983ce224450
Instruction Fuzzy Hash: E121BE3094D78A8FE796EB7888691A97BF0FF25700F0416BBD409C20D2EB789648C715

Function 00007FF848F43248 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07eeebd732e100116777d47d3516cc2310b258401b868b090339aa7a1b9435ec
Instruction ID: 1595cb46d2c3983eaae65913179d60ad35c34a10e15c546cc54323a63a46b975
Opcode Fuzzy Hash: 07eeebd732e100116777d47d3516cc2310b258401b868b090339aa7a1b9435ec
Instruction Fuzzy Hash: 2B215E30C0D55E8EEB58FBA8C455AFEB6B1EF64750F10013AD409E22C1DF786644CB55

Function 00007FF848F405D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc96f85c3ed4c9bd7073ae7ec1d790d61988fa710a3b3b16a655940b20c89f5
Instruction ID: 318893871ac0985e79f3a813550c79feb4af2f9cb18062bd0a4265955698042f
Opcode Fuzzy Hash: 3dc96f85c3ed4c9bd7073ae7ec1d790d61988fa710a3b3b16a655940b20c89f5
Instruction Fuzzy Hash: 9211BC3094C69E8FEB89EF2488586BA7BA1FF29340F1044BFD40AD70D2DB36A495C744

Function 00007FF848F4B04A Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b26eaaaa218e4f57676e49da1fce65fd09912d8f780f4e542499b34cee58e15
Instruction ID: 635319074d214904588f0183976efa59e7dff805c7e7d66d490342b704b4021c
Opcode Fuzzy Hash: 2b26eaaaa218e4f57676e49da1fce65fd09912d8f780f4e542499b34cee58e15
Instruction Fuzzy Hash: 9611BF3181D3898FE342FBB888985E97BB0EF66742F0505B7C004DA0E3EA28A4888755

Function 00007FF848F4B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccdbafa936027b69b5720bf8ea0e0074fff18231759cbf14e228dbaed3e03f4
Instruction ID: 08425d32cf6bed96dd93311c9bb91ac88ac307b50fe8a94a0b7643045a0cb560
Opcode Fuzzy Hash: bccdbafa936027b69b5720bf8ea0e0074fff18231759cbf14e228dbaed3e03f4
Instruction Fuzzy Hash: 27112E71C1D55A8EEB59EBA8D8557EDBAF0FF28740F1401BBD00DA22C2DB3859858B18

Function 00007FF848F4C239 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51648bf2eb049b79ac68ce95c6456fbadf987a22ffbac38f787373389e28325
Instruction ID: 1d4c53eb33327f4acbdbab5da76fdd00f855e680fadc0bfbd45fa679ccf484b6
Opcode Fuzzy Hash: d51648bf2eb049b79ac68ce95c6456fbadf987a22ffbac38f787373389e28325
Instruction Fuzzy Hash: F5018F3090D78A8FEB86EB7488181B93FB0FF26640F0506BBD854D31A2EB745604C715

Function 00007FF848F42449 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction ID: bb55120bf903cb77a8f3ef1f9cf8671f2e84d02e252ad98b749118a7e09f7860
Opcode Fuzzy Hash: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction Fuzzy Hash: 5611E870D08129CEEB64EF54C8457EDB6B0EF61740F1001BAD44EA62D2DB786A84CF44

Function 00007FF848F40610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9b84843de1c966c9f7209f67e50f75bfc918e46d0b4bb9341f84fcd9172928
Instruction ID: 5e88cbe66c243e1d20f0b6ddb497c819eba1624be41a072ddaa3649d1a1809ce
Opcode Fuzzy Hash: 7c9b84843de1c966c9f7209f67e50f75bfc918e46d0b4bb9341f84fcd9172928
Instruction Fuzzy Hash: 5201193091960E9EEB59FBA484596BDB7A0FF28345F6008BFE40ED21D1DF39A590C714

Function 00007FF848F59558 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f90d771bd14cafc07c1be72e464ce83aa8e22ce8bb3a99ba05013e6462e7629
Instruction ID: 65ea7899a566d5418d3662cfc902af0195396386046b8412369340d07a0011a9
Opcode Fuzzy Hash: 2f90d771bd14cafc07c1be72e464ce83aa8e22ce8bb3a99ba05013e6462e7629
Instruction Fuzzy Hash: 5EF06D3081864E8FEF54BF2888096FA37E0FF29355F10163AE80DD2190DB34A060C785

Function 00007FF848F428AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494268087ff6841dd3060246e58cb156f3f72cc25017532da06480971a1a4c3a
Instruction ID: f37616314363953dee55f90b031fab17086147822e6ddf67bfc3208f6f142453
Opcode Fuzzy Hash: 494268087ff6841dd3060246e58cb156f3f72cc25017532da06480971a1a4c3a
Instruction Fuzzy Hash: A7F0943180E68E8FEB59AFA488592BD3BA0FF25741F5014BBE809C21D2EB38A450C700

Function 00007FF848F4B0B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28895dc5174b3551953117f472de3d971e766354d9de1e481fe7d0974a19e6ba
Instruction ID: fce4c78ee6796507f0c17fa11c6f2d4cbff9810751e476a60637e26c68760db3
Opcode Fuzzy Hash: 28895dc5174b3551953117f472de3d971e766354d9de1e481fe7d0974a19e6ba
Instruction Fuzzy Hash: 9DF06D3181E3C28FD312ABA89CA01F93B709F52659B0902F7C084DA0E3EA2DA4488355

Function 00007FF848F42848 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c2e0df0dec7313ebf186e43e9099cd30ae1e746bd5cb5110930f8aa5118291
Instruction ID: b64f9f36165170307a8cd4c97e7ab97ae8b8e0374b26a668ddafa97aac8e5b9e
Opcode Fuzzy Hash: 55c2e0df0dec7313ebf186e43e9099cd30ae1e746bd5cb5110930f8aa5118291
Instruction Fuzzy Hash: BCF08C3089DA8E9EEB69BF6498082FD3AA0FF65745F10087FE809C11D1EB78A1648640

Function 00007FF848F4B748 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba6311bfb43d80a7e4a7b79388b2f88412f999ceddfcb0c3ff08b81978ba4fc
Instruction ID: 233bd8de058186b7bd8700ebca82eaa67a36363331d7cdeb288db11ad0abfaa9
Opcode Fuzzy Hash: 7ba6311bfb43d80a7e4a7b79388b2f88412f999ceddfcb0c3ff08b81978ba4fc
Instruction Fuzzy Hash: F7F01D31908A198FEFA4EB48C840AE873F5FB58B51F1002A6C409E3291EB786981CB04

Function 00007FF848F4BE37 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f16e197779d5a4ed46c75bc966eff021c9f03d64b04996e6a4f9baab6c855c3
Instruction ID: 3854dd5e689fee499428b5e6df3dc61726c9baca41fb660201352ff4dca7a69b
Opcode Fuzzy Hash: 5f16e197779d5a4ed46c75bc966eff021c9f03d64b04996e6a4f9baab6c855c3
Instruction Fuzzy Hash: DCF0B230C1851A8EEBA0EB68C8443ACB6B1FF58240F4041F6900DF22A2DF752AC08B08

Function 00007FF848F40608 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fce7b29cdb3417ad6cb9394ebff409730f9e62cda8bb2b1715758dcf0498f9fe
Instruction ID: 9c935901dae10b25ba5ee0e3e46026c0c99fe2dd8adc9557aa2a9e3174fe72d8
Opcode Fuzzy Hash: fce7b29cdb3417ad6cb9394ebff409730f9e62cda8bb2b1715758dcf0498f9fe
Instruction Fuzzy Hash: 00F06D3086D64E9EEB59AF6498082BE73A4FF69745F50083FE80ED11D0EF38A164C644

Function 00007FF848F40FD5 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07141347a58c8fc3850b3e083ce3d8ba0ce65ea59f69dd679d34554685b59aa
Instruction ID: 40c81cdaab543237916c63ec232e87796205a4f07d3f302100e50e2fa7abd8f1
Opcode Fuzzy Hash: a07141347a58c8fc3850b3e083ce3d8ba0ce65ea59f69dd679d34554685b59aa
Instruction Fuzzy Hash: BBF0AC30A094098FEB50EB48C844AEE77B1EBA4751F1042A5D409E7295DF39AE458F98

Function 00007FF848F4B390 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a221231f4e177d7da8c137dc8b85ed151b252565e74175094a769f6e82d0b45
Instruction ID: d65fbf4a6e32d8545b6bb9d1abe7e9e483724a9e2bfb8449514ebca6feaca4e9
Opcode Fuzzy Hash: 1a221231f4e177d7da8c137dc8b85ed151b252565e74175094a769f6e82d0b45
Instruction Fuzzy Hash: C6B0021941F1D164D142327534911E51F615F0756CF1CC3F6D0DC0E1D35D4D504D415C

Non-executed Functions

Function 00007FF848F4B1FD Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253ed4b34e69d1b087b7fde9d7bb202d471f1251e586200f66b6a260e1bc1804
Instruction ID: 1a15c80a9e8f70891bea60f81c1e8c5aca0c98432676bfded20fbfbbbdd9b84d
Opcode Fuzzy Hash: 253ed4b34e69d1b087b7fde9d7bb202d471f1251e586200f66b6a260e1bc1804
Instruction Fuzzy Hash: 2FD1AB30D0D64A8FEB95EB2488586BA7BE1FF29351F0405BBD409D71D2EB38A984CB45

Function 00007FF848F49F84 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085992277.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff848f40000_RlZ57mJ5Ug.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb042342b59b6e10d26266f5b588881bd6cdcda2e9c4ccf79bf5ec1b5503b62
Instruction ID: 0c2406af80f005c187c76b101910d7c23e39a485ee94726bbd2aba4e8fc15057
Opcode Fuzzy Hash: 0eb042342b59b6e10d26266f5b588881bd6cdcda2e9c4ccf79bf5ec1b5503b62
Instruction Fuzzy Hash: 8F01EF8280EBC15FC3131B3448611417F70AE1324471E48DBC4C28F4A7E209596AD3A6

Analysis Process: fontdrvhost.exePID: 3332, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F33655 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F3386E

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: e4edef2576d23cf67bbe320eec5f9b0594883c8dd73f359bc01731be1d3db227
Instruction ID: cd934da9aca578edf7f406e90330e1968f6361cde159990cb2a3ebccc59fca4d
Opcode Fuzzy Hash: e4edef2576d23cf67bbe320eec5f9b0594883c8dd73f359bc01731be1d3db227
Instruction Fuzzy Hash: E891CE71D1D98A9FEB84EB2CD8557A9BBE1FF99350F50017AC009D32C6DF6828018B55

Function 00007FF848F3F661 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

N, xrefs: 00007FF848F3F6D3
}, xrefs: 00007FF848F3F698
k, xrefs: 00007FF848F3FD44

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F3F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f3f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: N$k$}
API String ID: 0-2507137466
Opcode ID: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction ID: 2fd5d4e54643228b33fce1fbb13d1910c5a73769ff3422d26059f2c963168950
Opcode Fuzzy Hash: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction Fuzzy Hash: F6219270D096298FDBA9EF14C8947E9B6B1FB58741F1001EAD44DA6291DB386BD0CF84

Function 00007FF848F3122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F3129D

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 15b4c512bbcb11e38c9b6162d377fe35cb7d375ba1acf1beefffd01511fbdc9e
Instruction ID: 95acea6e0aa38ee3c19c3e96c837bff7fb49555f5b1cfb127d6648a4d8617240
Opcode Fuzzy Hash: 15b4c512bbcb11e38c9b6162d377fe35cb7d375ba1acf1beefffd01511fbdc9e
Instruction Fuzzy Hash: 04118F70D0D64E8FEB59EB68C4592B97BE0FF6A351F0005BBE40AD61D2EF29A584C710

Function 00007FF848F31240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F3129D

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 758558c1c84958d61b4e839df4065cf0af6ace08545ead50f0cec29cf5c0fb64
Instruction ID: d3cf586ee7232f5038e35c41edee613674ca39a7859611cdfad747b651495214
Opcode Fuzzy Hash: 758558c1c84958d61b4e839df4065cf0af6ace08545ead50f0cec29cf5c0fb64
Instruction Fuzzy Hash: 6AF0FF30D0D64F8EEB98AB6898083FA77E0FF56251F00027BE809D20D0EF2451908210

Function 00007FF848F3F213 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

k, xrefs: 00007FF848F3FD44

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F3F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f3f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction ID: c6d2eedaf78521072bfe8d7648e6ea9d82007bb8954b30ebc1d187fa427e813a
Opcode Fuzzy Hash: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction Fuzzy Hash: BA01AF70D096698FEBA5EF18C8847E9B7B1FB54741F1041EAE409E6281DB38ABC0CF44

Function 00007FF848F41961 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848F4189D

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 52ef528746de86b69ec7a8e2739b374514eff00787403a0c67ee8f2fbda456d3
Instruction ID: 83d84131b2730fd20524812497db1cb0c335243f9f4290d5aac6fc3cee582792
Opcode Fuzzy Hash: 52ef528746de86b69ec7a8e2739b374514eff00787403a0c67ee8f2fbda456d3
Instruction Fuzzy Hash: 32F05E3090821ACFEB24EF40C4947FD77B1EB20751F20023AC019AB2D0DBB86584DF48

Function 00007FF848F4388D Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8110a6eb0a661c801473549d232958307bcb89705b8e2e1c6e923c61ed192b3
Instruction ID: cff6866de54e5b61110fe67e27321f4339e101eaa8e5355f3f6b3c586edc754d
Opcode Fuzzy Hash: a8110a6eb0a661c801473549d232958307bcb89705b8e2e1c6e923c61ed192b3
Instruction Fuzzy Hash: 2F11633190E6899EE742AB7888596A97FF0FF56741F0504F7D448DB0E3EB28A5488712

Function 00007FF848F43E2F Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090c56f37329ca17da2e4ad58438f3aa2b0671a910913fb4486e4577c1dcaf41
Instruction ID: 1e0e2ed296b8d37d042766dbc33a23715604fe19e7f198c30763797c82fc3d5c
Opcode Fuzzy Hash: 090c56f37329ca17da2e4ad58438f3aa2b0671a910913fb4486e4577c1dcaf41
Instruction Fuzzy Hash: 04813B33A1E5569EE341BB7CB8065EA37A0EF513B9F044577D188CE093DF1C604A86A9

Function 00007FF848F31748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2d98fef70d92e53c307aa7bc65e3c16f336bc36bbf821d54044782c64795d9
Instruction ID: 37d85b791af2bdb57f7d54992a7fcac0dc546d212739cc68ae0866dd118f42e2
Opcode Fuzzy Hash: da2d98fef70d92e53c307aa7bc65e3c16f336bc36bbf821d54044782c64795d9
Instruction Fuzzy Hash: 0E81AC31A0CA498FDB58EF2C98556A977E2FF99744F14417AE44DC32C6CF34AC428785

Function 00007FF848F43ED3 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e394476c54de39f5f44a63f0de95bba853314e3105d3edf14e13433934d846
Instruction ID: 0315ca6adc4ad201ceeff9750fb4125a9355f8505dd57382562f9f6912166857
Opcode Fuzzy Hash: 85e394476c54de39f5f44a63f0de95bba853314e3105d3edf14e13433934d846
Instruction Fuzzy Hash: 6E513833A1E5565EE301BB6CBC461EE7BA0EF913B9F0405B7D248C9083DF1C604A87A5

Function 00007FF848F31D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c7c9dd09e873251d25150c02a8f6945ed4a54fac31f60d4a14467916e11eae
Instruction ID: 9faf96065ce6683a5b1430ef2b53fd7e86051201d11a67afb4262ad6540a9093
Opcode Fuzzy Hash: 77c7c9dd09e873251d25150c02a8f6945ed4a54fac31f60d4a14467916e11eae
Instruction Fuzzy Hash: 9E51E131A0CA894FDB48EF1888555BA77E2FF99344F14427EE44AC7282CF34E842C785

Function 00007FF848F3B3D0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347120c5a8f12ca9e7c0bdda5f6d58bdf0a7f7f268214dc1db62635b4018b4e9
Instruction ID: fcd4695199db41a5f70a8eba1f8aabdb6e5f0ffa206e1290cf62b4eddd57dd23
Opcode Fuzzy Hash: 347120c5a8f12ca9e7c0bdda5f6d58bdf0a7f7f268214dc1db62635b4018b4e9
Instruction Fuzzy Hash: F051D672D2D9869FE341BB7894690F97BE0FF12364F0841B7C088870D3EF2954568359

Function 00007FF848F33235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d564d714a7b5afe6c01b8f46ac25a9786fe50bc8a4bb2e8154a6601537c5c5
Instruction ID: fd60b8df66a464e840bcc1f5d75900f8c7af40df93375e4dfb925496a1a99fb4
Opcode Fuzzy Hash: d8d564d714a7b5afe6c01b8f46ac25a9786fe50bc8a4bb2e8154a6601537c5c5
Instruction Fuzzy Hash: 74510270D0864A8FEB54EBA8D4986EDBBB1EF58351F10407AD00AE72D2DB38A944CB54

Function 00007FF848F32155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c954d5ed7e4d1dae5328c26e8cb67c98e9dc6b9e8e3eb1b30600a5f20fe9831
Instruction ID: 6792c5f00b74fa069d09504e0d12308e6f93e0e9d34ea697d32b3c2e7725d00e
Opcode Fuzzy Hash: 4c954d5ed7e4d1dae5328c26e8cb67c98e9dc6b9e8e3eb1b30600a5f20fe9831
Instruction Fuzzy Hash: 24412531E0D68A4FE746FB7898551B8BBE1EF46381F0440B7D40DC71E2DF28A8418365

Function 00007FF848F42EA6 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3523396180fcd3d76519c14437fbe3fcd1f68025ac645f479a0c56976984834
Instruction ID: 5a6bfc4877878a6e678bf567d0a7fafbe95b89430718562c11da15d8b985f2be
Opcode Fuzzy Hash: c3523396180fcd3d76519c14437fbe3fcd1f68025ac645f479a0c56976984834
Instruction Fuzzy Hash: 6D41A770D0891D8EEBA4FB68C855BACB6B1FB59341F5041BAC40DE3292DF38A9858F54

Function 00007FF848F43FD3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7615267c267e3812a68f2b2647bd504c804d6343736b93291e988aa63ac92f5
Instruction ID: 805923482366c8ed63e08f9e08860ed76a9ac9258f72b248fadc6d69588f6b65
Opcode Fuzzy Hash: a7615267c267e3812a68f2b2647bd504c804d6343736b93291e988aa63ac92f5
Instruction Fuzzy Hash: 29210A33A0E6868FE311B76CA8191FA7FA0FFA27A5F0404B7C548D6093DB285459C795

Function 00007FF848F3B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8030a00e921777733622eb246278f0ba2767d6cdcd9378c5605d2abd7e2ee09
Instruction ID: 4d4bf677f621c2684d272961b901676df84f8fd7384589b2cd2fe38f375237d9
Opcode Fuzzy Hash: c8030a00e921777733622eb246278f0ba2767d6cdcd9378c5605d2abd7e2ee09
Instruction Fuzzy Hash: 6B313871D1865A8FDB58EFA8D8646ECB7F0FF58351F1002BBD009A32D1DB7819448B18

Function 00007FF848F423ED Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91bbe5522697c3ce0e3ad425ff4fdeb7a97fd51e22dc5a8c27584152fc81c55e
Instruction ID: 158efe7490a69b24cef1971c0e7b61cbb9c71a9d4d361e3ce7454f8de5f4e929
Opcode Fuzzy Hash: 91bbe5522697c3ce0e3ad425ff4fdeb7a97fd51e22dc5a8c27584152fc81c55e
Instruction Fuzzy Hash: 36316C30D0C61E8FEB51EBA4C4583ED7AF1EF28751F14007AD009E72D2EB78A9848B58

Function 00007FF848F33440 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a641888487fbe3c0421871d8e558f6b7ad22dfc7db7858a5f7953b4e11c078d
Instruction ID: 93045754a99c3c3fb5cf9e68ebe2f081d8bcbd7dce3594fdfe5eecf76be892e1
Opcode Fuzzy Hash: 9a641888487fbe3c0421871d8e558f6b7ad22dfc7db7858a5f7953b4e11c078d
Instruction Fuzzy Hash: FD216D3084D78A9FD743EB7488586A97FF4EF0A350F0904FBD489C70A2DB68A499C721

Function 00007FF848F47221 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9043d65dd8d48bdde875d68ea02fc3961b1972a39658921f42eab93c85aabdc5
Instruction ID: 764bfc61a61ea5bc30980a1199327946388311cad7a74e6d4b526c604f3cc71d
Opcode Fuzzy Hash: 9043d65dd8d48bdde875d68ea02fc3961b1972a39658921f42eab93c85aabdc5
Instruction Fuzzy Hash: B0218C3090CA4E9FEB99EF2884592B97BE0FF69341F0405BBE409D21D2DB35A540CB90

Function 00007FF848F30A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333ea60c911fe9d5f6a36a7473abd1384e414e0325539df6e589b153a3e2b96b
Instruction ID: a707c1e6f1dcbe7ad6c1207786776fe6b2ebff07103450011fe30545f938e042
Opcode Fuzzy Hash: 333ea60c911fe9d5f6a36a7473abd1384e414e0325539df6e589b153a3e2b96b
Instruction Fuzzy Hash: 66116A31D0954E9FEB80FB68D8492BDBBE0FF98391F4405B7D809C6192EF38A5448740

Function 00007FF848F44C85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3107f30b68fc8d0359b38323f66db9dd793fbd39497fbf54194f212fbde09f42
Instruction ID: 908760bbc0dcbc867eb723543b7e7e33536b0cc08da2cdb5548ed06e5d18f61e
Opcode Fuzzy Hash: 3107f30b68fc8d0359b38323f66db9dd793fbd39497fbf54194f212fbde09f42
Instruction Fuzzy Hash: C8119A3090DA4A9FEB89EF28C4592BD7BA0FF68345F1401BBD409E61D2DB39A480C741

Function 00007FF848F42951 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f0fcb28b9ba9d88664f2493523761df00efe43de3c85783daf7be0b8f8d5a6
Instruction ID: c27e5cf3f42144b57b09e17601b745378c99f4432253365501b040cdc3719af2
Opcode Fuzzy Hash: 47f0fcb28b9ba9d88664f2493523761df00efe43de3c85783daf7be0b8f8d5a6
Instruction Fuzzy Hash: C011797090868D8FDB48EF18C8A52E97BE1FF68755F1101BFE80AD3281DB34A440CB85

Function 00007FF848F47365 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf41818bbbc7483141accf108927d7e010a4385db49e8dec07922fb4f5f0d85
Instruction ID: 6b40e2a76b25ee33e84f6e5f64afcd125b92ee1b35193dd31f33ea9641281cf4
Opcode Fuzzy Hash: ebf41818bbbc7483141accf108927d7e010a4385db49e8dec07922fb4f5f0d85
Instruction Fuzzy Hash: 7A11E231C0DE8E8FEB59EB24849A2B87BA0FF25700F0480BBD809D60D2DB296444C745

Function 00007FF848F472C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33386250d25e86661bfc3e86c7c925afeadbc7466480de5fbd40ec847a2865ae
Instruction ID: ccadb9d515633733746cb21a55c8c3cda1a2aa4acd45fdb775afed1bff1d55a1
Opcode Fuzzy Hash: 33386250d25e86661bfc3e86c7c925afeadbc7466480de5fbd40ec847a2865ae
Instruction Fuzzy Hash: D211BE3080CA4E9FEB99EF28845A2BD7BE0FF68341F0045BBD409D21D6DB38A480C740

Function 00007FF848F45125 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe62074360db53d8911779a2c554b1a1f20090e7908302b1542ee71bcbb6efb7
Instruction ID: a7dfff3fe4312179005425c8dc6d567fa4e187bf8b7fdd2fe5c051fcc620b762
Opcode Fuzzy Hash: fe62074360db53d8911779a2c554b1a1f20090e7908302b1542ee71bcbb6efb7
Instruction Fuzzy Hash: A311C131D0DA898FEB59FB2488AA2B87BA0FFA9744F0400BFD00ED65D2DB396444C745

Function 00007FF848F44BE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903b26d84d58e230ce90422e9a698992eeb555218f3137a0ae39fa3de93cb5af
Instruction ID: 42a25dc718ffd3de64e3ad2ae397e37cf11139ad9be7e423cfec9a0c871a8eb3
Opcode Fuzzy Hash: 903b26d84d58e230ce90422e9a698992eeb555218f3137a0ae39fa3de93cb5af
Instruction Fuzzy Hash: 5121903090E68E9FEB89EF2884592B97BA0FF69345F0805BBD409E71D2DB386484C741

Function 00007FF848F45499 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2e82bec9e232145fe59d62b7f3fa150b6725ebd20b266387c41f989eb63aab
Instruction ID: 463ce92057acaff4a82f5b19a298ee50f38e13c63867ded2f8b6d45393a1d736
Opcode Fuzzy Hash: be2e82bec9e232145fe59d62b7f3fa150b6725ebd20b266387c41f989eb63aab
Instruction Fuzzy Hash: 10116D3190DA8A9FEB95FB2488692B9BBF0FF29351F0404BBD40AD71E2DB386454C711

Function 00007FF848F335D1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509f0fc14436ebcbe064a7dc1cd1ee61c61307d33e0bb7af10b6e52e47a86897
Instruction ID: afc29e4dc28c8287f66a9912f14859ea8a36af4e41ef4ded28aff44747e4c4d8
Opcode Fuzzy Hash: 509f0fc14436ebcbe064a7dc1cd1ee61c61307d33e0bb7af10b6e52e47a86897
Instruction Fuzzy Hash: 77113970D1D64E8FEB98EF6894596BABBA0FF18341F4405BBD419C72D1EB35A5408B04

Function 00007FF848F42D61 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8934ba3eb55aab784bf04c55bc48a6836e89c28ddfaecd90eddef91785f8420
Instruction ID: b360dd4add52a42edf826d3e9cbf960b4c640e0c03f66dc593868e7645a7eccd
Opcode Fuzzy Hash: c8934ba3eb55aab784bf04c55bc48a6836e89c28ddfaecd90eddef91785f8420
Instruction Fuzzy Hash: 5A11AD3080C55A9EEB92FBA8844C6F9BBF0FF69340F0404B7D408D6096EB74A1808744

Function 00007FF848F473FD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a7c7fd766a553783206ae19dd379d787b2d15c52ab8aa4f78644ab53f8ccf4
Instruction ID: c23e5e302c460e591d9933f9efd92b2a22e700b7ed2999ca0b4b6c8e4cb54c1b
Opcode Fuzzy Hash: f4a7c7fd766a553783206ae19dd379d787b2d15c52ab8aa4f78644ab53f8ccf4
Instruction Fuzzy Hash: EF11BF3090DA4E9FEB59EF6484592BA7BA0FF68341F0401BBD409D61E2DB38A4548781

Function 00007FF848F4524D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1f65ed380f03f5530074be92c372f6921808b34c799ac6b23b7a58ce0977b3
Instruction ID: 558f1366824eb4edd02da9e0b69681a5103bc40dacb690a561757ec2f93baafa
Opcode Fuzzy Hash: 6e1f65ed380f03f5530074be92c372f6921808b34c799ac6b23b7a58ce0977b3
Instruction Fuzzy Hash: 71116D7090954A8FEB99FF6484596BD7BA0FF29340F0405BBD409E6192DB3866408751

Function 00007FF848F41311 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886ccd425dfb54c2b9b896d8931711ce26eb36ecbbaafc9b3eea6228a8d684fc
Instruction ID: db9ca8588decb36ab2005cea9ce90a046a0eb79a89dc3413b51e3fb9bc133790
Opcode Fuzzy Hash: 886ccd425dfb54c2b9b896d8931711ce26eb36ecbbaafc9b3eea6228a8d684fc
Instruction Fuzzy Hash: 85118B3090CA5E8FEB85EB2484682BDBBE0FF28341F4404BFD419D6592EB34A580C700

Function 00007FF848F47941 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab06550d2ac3f32cf90e01c079f8029bd7005008f4c73a389561d466ce1b831d
Instruction ID: 1a76af5728cd081ce72a2ca466359393d278bba5be67a930ff7c21d57440cb1a
Opcode Fuzzy Hash: ab06550d2ac3f32cf90e01c079f8029bd7005008f4c73a389561d466ce1b831d
Instruction Fuzzy Hash: 17112A3190D94E9FE751FB6888486AABBF4FF29351F0404B7D409D6091EB34A5848755

Function 00007FF848F46539 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b524278379cfd50256f63a1e1c71f8ca119848be7be9b790ebf338a2eb4d5743
Instruction ID: 0a4ed945fba8439e205d13a215860123e802ca7bfdeeaa2d05957e3c81a5f4b5
Opcode Fuzzy Hash: b524278379cfd50256f63a1e1c71f8ca119848be7be9b790ebf338a2eb4d5743
Instruction Fuzzy Hash: CF118C3090D68A9FE781FB6888596A9BBF0FF29340F0405B7D408D60A6EB38A584CB55

Function 00007FF848F4540D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1172f57a2a48d86398a0e586eac84b420135ff0752bc8b556a6fea19269cc4
Instruction ID: daea00206948ba6e39eef3377044877d9430edc3d74efbec6128a400c9bd6088
Opcode Fuzzy Hash: 5f1172f57a2a48d86398a0e586eac84b420135ff0752bc8b556a6fea19269cc4
Instruction Fuzzy Hash: 9811913090D58E9FEB89FB24C4696B97BE0FF28341F4404BBD419DA1E2DB38A554C751

Function 00007FF848F3B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d67872291e47d2410ae3a341960590d71cbe657cda77c7d9678eb75871f8a4e
Instruction ID: 2cfb72cc689c8c3c80e9187d1ff0c23275774d1358be49bd0e8dff7226f99fc4
Opcode Fuzzy Hash: 6d67872291e47d2410ae3a341960590d71cbe657cda77c7d9678eb75871f8a4e
Instruction Fuzzy Hash: D3112B71D1D65A8EDB59EB68D4657EDBBF0FF18340F1401BBD00DA22C2DB3859848B18

Function 00007FF848F3FF3E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F3F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f3f000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee0feb59b36b6aab897083c3a7330397bfcdfbb7b58d37e93bdb1f185d9baed5
Instruction ID: 74d46591865a79c28eb870cade7d4b3afcce9ad61a8c8edee9287b43ccaa813d
Opcode Fuzzy Hash: ee0feb59b36b6aab897083c3a7330397bfcdfbb7b58d37e93bdb1f185d9baed5
Instruction Fuzzy Hash: EC11F670D19A698FDB98EF288C597AAB7F1FB14642F4002FAC40DE3281DF3559858F00

Function 00007FF848F4266A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6227b040873745a01c1010e5e2f76cd2409f04cbdb2b444b410b90ed9d8023
Instruction ID: 4c77be732e91e8b8bec55d0d92266723ffe5ade8d2030e418d8ff4ccac8d0e4f
Opcode Fuzzy Hash: bc6227b040873745a01c1010e5e2f76cd2409f04cbdb2b444b410b90ed9d8023
Instruction Fuzzy Hash: 58010930A1C54D8FEB58FB94D455AFC77A2FF68791F14053AD009E72C5EE78A8818B44

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f187b923c6c012351828e5523e4349757f5f29b7376105a9fbd46053ac829f
Instruction ID: a83444d68cb4f1fc7725fe99f7b56ef282bcc27e9346944f718df7496fc4a692
Opcode Fuzzy Hash: c7f187b923c6c012351828e5523e4349757f5f29b7376105a9fbd46053ac829f
Instruction Fuzzy Hash: 5F014C3090854E8FEB88EF24C4596BAB7A1FF59385F60447AE40EC21D1CF35A591CB44

Function 00007FF848F32F41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb927fa9aec80f53ac2f1a58251ca411d3c3a84755fd9f5af3274871f7c2e8e
Instruction ID: 3dfb05423f83976e47468f4c0601f378af386534e073da782156fe35ddd0cc45
Opcode Fuzzy Hash: 3bb927fa9aec80f53ac2f1a58251ca411d3c3a84755fd9f5af3274871f7c2e8e
Instruction Fuzzy Hash: 9D018F31A1D68A8FE751FB74845D1A9BBE0FF59342F0545B7D808C60D6EB34E1508705

Function 00007FF848F47E49 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c66d21fe76ad97859a30780ff8f216a627acb99203bb3ffbada0cc633462fc9
Instruction ID: 284fd5739e6898b852bc0b1ded2c26ccefcb59932b0740f69a7a9adf4214569c
Opcode Fuzzy Hash: 6c66d21fe76ad97859a30780ff8f216a627acb99203bb3ffbada0cc633462fc9
Instruction Fuzzy Hash: 81118B7090D68D8FDB59EB28C8582BD7BA0FF29341F4105BBD419D61D2DB39A914C710

Function 00007FF848F427E1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1697b1046f9920095b81dc5f3c43f9a87717994456bfa13d4d4634c448f69082
Instruction ID: bd83eb6e3a4804560923877efe4bc7d2471128b6cda393bd1bfc84ba3e2e9f91
Opcode Fuzzy Hash: 1697b1046f9920095b81dc5f3c43f9a87717994456bfa13d4d4634c448f69082
Instruction Fuzzy Hash: A2019A3081D6498FDB99EBA4C4596BDBBA0FF29340F2504BFD40AD70D2EB39A580C740

Function 00007FF848F3291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5835620902997a1c6a62864b777e4507e8a9d64f441435c84d01f0120fae14
Instruction ID: 02ea37cc9646bfd794d84f5037d30525d55b94204e792f02c9f78b36858e4ba4
Opcode Fuzzy Hash: 6e5835620902997a1c6a62864b777e4507e8a9d64f441435c84d01f0120fae14
Instruction Fuzzy Hash: D6017831D1E64E9FE792FB6888486B97BE0FF59342F5505B7D408C60A2EB38E584C704

Function 00007FF848F47AC9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6bcfc0698cb29dc590c3e3d85597b2731d684ec196f98ebd61db55df4b4c1ba
Instruction ID: b5635c1be8248e28c78af196c66419d1ce5b61775abe265c0b7eecb4a9da52dd
Opcode Fuzzy Hash: a6bcfc0698cb29dc590c3e3d85597b2731d684ec196f98ebd61db55df4b4c1ba
Instruction Fuzzy Hash: BD01713094EA8D9FE752FB34845D5B97BE0FF69750F4508B3D408C70A6EB28A9488701

Function 00007FF848F31CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e741808aad12c10b0cd641ce8e653dd7e92c82249dc258951a7fc5e2e22248d
Instruction ID: 73281a8a8fb43e5fe32362b43a71f0f2cf643ba5a8eeae726a8cc998b6a79393
Opcode Fuzzy Hash: 1e741808aad12c10b0cd641ce8e653dd7e92c82249dc258951a7fc5e2e22248d
Instruction Fuzzy Hash: 07018C3080D68E8FEB99EF2488592FA7BA1EF55341F5404BAE809C21D2DB399891C784

Function 00007FF848F32FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742660c094359b6b52eb0dfba6d58eb4b0554791598eaf0fce9045202fcaa291
Instruction ID: 58a82b63061221977a1ea28361d774a3324b0cd267900b1fd4923dbefb94a874
Opcode Fuzzy Hash: 742660c094359b6b52eb0dfba6d58eb4b0554791598eaf0fce9045202fcaa291
Instruction Fuzzy Hash: 25018F3090D6895FE752FB7888995A97FE0EF59341F0508F3D409C70E6EF38A4448711

Function 00007FF848F444BC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction ID: 0d915cb29df132977c38de0c26d2eb37993e64bfee89a7492b1cef3080506231
Opcode Fuzzy Hash: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction Fuzzy Hash: FA112770D0A529CFEB54EF98C9446EDB7F1AFA4742F20417AD008F22C1DB386A85DB84

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00737e83161bfbacb4d4fe31cfa45fc30c9b3140fcc3a68a84923cc26eac8444
Instruction ID: bc4a71d049376d2fc9ef119b4915db7fd6e423801752e306452555c9429279d5
Opcode Fuzzy Hash: 00737e83161bfbacb4d4fe31cfa45fc30c9b3140fcc3a68a84923cc26eac8444
Instruction Fuzzy Hash: E9016930859A0E9EEB49FFA480582BD77A0FF18346F20087FE40EC21D1DF35A150C604

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cd449ec85744b7b86454a84c99748a76ee5eca2a918cbb784d5b0237d1f1dd
Instruction ID: 5a852ba3245552c4f25c1100f3a5b40a787e730730d05bbee9ab261e34531e06
Opcode Fuzzy Hash: a9cd449ec85744b7b86454a84c99748a76ee5eca2a918cbb784d5b0237d1f1dd
Instruction Fuzzy Hash: 6601193091960E9EEB59FBA484596B9B7A0FF18346F6048BFE40EC21D1DF39A590C714

Function 00007FF848F3B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0b4b579b2da2e87ea594d9a14ac7cfcc666e06c9cd3e3315566d1172c0b5e9
Instruction ID: 2549aec7723b1b361d492ed3324f715b0d82078b1073ac0467aeeaaba5725352
Opcode Fuzzy Hash: 1c0b4b579b2da2e87ea594d9a14ac7cfcc666e06c9cd3e3315566d1172c0b5e9
Instruction Fuzzy Hash: D6F0497092C60E9EE751FB7894996B9BAE0EF18341F0448B3E419D20A2EF74A1888604

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49485cf8e6466e1e70d8af557b3c75573d2ff488c74ea4297cc99f51f438f90
Instruction ID: 0b156ff4aa42bf9dd4727050f6b0f88b544bca9ef6fd87782ec38d9d3a924edd
Opcode Fuzzy Hash: e49485cf8e6466e1e70d8af557b3c75573d2ff488c74ea4297cc99f51f438f90
Instruction Fuzzy Hash: 70F0493091D68E8FEB84EF2894552FA77A4EF15388F50047AF80DC21C1DB39A5A0CB88

Function 00007FF848F32839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59075e258718c8c708dd5bf8d9a8a6a210903c0baf9fcd3dbda61866a896de63
Instruction ID: 0055939585a23163f8264601680158242f760af037537eaba84ac7147d6134fe
Opcode Fuzzy Hash: 59075e258718c8c708dd5bf8d9a8a6a210903c0baf9fcd3dbda61866a896de63
Instruction Fuzzy Hash: E9F0C23080E7C98FDB5AAF2488182B93FA0EF16302F0504BBD448C60E2DB389414C301

Function 00007FF848F328AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8634d87322b50cd5a73f71bfcc1128ada372b498cf55b817e3d9f2d9c6cf7c
Instruction ID: e5796d68f31c6b7b5431bd1a847ae98f997beea3bff003150812f361c0a75889
Opcode Fuzzy Hash: 9d8634d87322b50cd5a73f71bfcc1128ada372b498cf55b817e3d9f2d9c6cf7c
Instruction Fuzzy Hash: BBF09A3180E78E8FEB59AF6488592B93BA0FF15302F5014BBE809C21D2EB38A450C700

Function 00007FF848F41330 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcda391ca3d4d80c2f150a442cdedcdb0114544063be5515dbc35dc5e0a08e9d
Instruction ID: 354ab633ba3d56e75c4312692a7de5d016d8ec435d4c7d3d5acb18a77a6aae64
Opcode Fuzzy Hash: bcda391ca3d4d80c2f150a442cdedcdb0114544063be5515dbc35dc5e0a08e9d
Instruction Fuzzy Hash: 77F0F870918A5E8EEF84EF6898182FE76A4FF28745F40053BE82DE2591EB34A5948744

Function 00007FF848F3B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286452f886519615ceb00a560c436088299d3214fb8bd5b59673cdd765678ca8
Instruction ID: cd894d3fc387cbf8f37050dd3f812fe18ed819b177ec441b53ae9c0f339ae1c4
Opcode Fuzzy Hash: 286452f886519615ceb00a560c436088299d3214fb8bd5b59673cdd765678ca8
Instruction Fuzzy Hash: D4F0827191E3868FD312AB64A9B11F93B709F42295F1A45F7C049CA0F3EB2C58488755

Function 00007FF848F3BE37 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b171478172d5c9417d95b6d1115dfca040cdc45817442e8721eed231c7d96b3c
Instruction ID: a5383bc4f6c2f79447590552555f59f0c301886a0290a066e3de09991d9ae69b
Opcode Fuzzy Hash: b171478172d5c9417d95b6d1115dfca040cdc45817442e8721eed231c7d96b3c
Instruction Fuzzy Hash: D1F07470D1855E8EEBA4FB68D8557ACB6B1FF48341F5041FA940DE22A2DF742AC08B58

Function 00007FF848F3B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbee8253b108c79919c92262f500dcc6529648cfcae3d6fbdc2e3fd38963637
Instruction ID: 412c0b444e0f3636b81e48b743ebc3e623f2c9c1b1d666972fe8de542fa704a0
Opcode Fuzzy Hash: 8cbee8253b108c79919c92262f500dcc6529648cfcae3d6fbdc2e3fd38963637
Instruction Fuzzy Hash: 76E0DF3292E2079EE310FB68B4F11FE33A0DF40298F144A37C04C890E3EF6CA0880188

Function 00007FF848F30FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f30000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4261b5ef995d734aea458018fbbc86f37dc9291ba6658f908e03c4cd16ae0d1b
Instruction ID: b76f3232234674a0ee7a3ac6b27d28aa0ac3c990b2cd34b7ce86064510d3a9f7
Opcode Fuzzy Hash: 4261b5ef995d734aea458018fbbc86f37dc9291ba6658f908e03c4cd16ae0d1b
Instruction Fuzzy Hash: D7E0EC30D1A5198FEB90FB14CC40BAEAAB1EF54344F5041B6D40DA32C1DF386E854B58

Function 00007FF848F4589B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F41000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F41000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f41000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da88bf3519cc71ce3ef226c577d61fd1d0bee7b5573000d3147ab9b56d6f917
Instruction ID: c2f84562fc143a1e1efd778e23a3a71726d83b869be3b43954b853cd3cc0b989
Opcode Fuzzy Hash: 4da88bf3519cc71ce3ef226c577d61fd1d0bee7b5573000d3147ab9b56d6f917
Instruction Fuzzy Hash: B9D0C971D19A19CFEB94FB18948D3A8B7E0FB58644F40002BD408D7185DF3054018B05

Non-executed Functions

Function 00007FF848F3FC47 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

N, xrefs: 00007FF848F3F6D3
O, xrefs: 00007FF848F3FC68
{, xrefs: 00007FF848F3FC5B
k, xrefs: 00007FF848F3FD44

Memory Dump Source

Source File: 00000006.00000002.2166247703.00007FF848F3F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F3F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff848f3f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: N$O$k${
API String ID: 0-2452294744
Opcode ID: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction ID: a470c19eb0d821ebe3be3f8b4a107cbcd02e7e0abd492c86c59bf3b3d32b4519
Opcode Fuzzy Hash: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction Fuzzy Hash: CC01F670D0826A8FEB24AF10C8447E9B7B2FB54341F0002FAD80D962C5DB786A80CE48

Analysis Process: fontdrvhost.exePID: 4712, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F43655 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

K_H, xrefs: 00007FF848F4386E

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID: K_H
API String ID: 0-313846638
Opcode ID: 3dd441cb2b743b11bdaa496aad7235f96266b95e62f2470d6bad21b66ab13b2f
Instruction ID: 1e60157591d751db248127ae1a98131ee51f6f3aaf3f6c49da9c7e8c03f31c1f
Opcode Fuzzy Hash: 3dd441cb2b743b11bdaa496aad7235f96266b95e62f2470d6bad21b66ab13b2f
Instruction Fuzzy Hash: 8F91AF71D1D94E8FEB84EB2CC854BADBBE1FF99750F50017AC009E72C6DB6818018B55

Function 00007FF848F4F661 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

}, xrefs: 00007FF848F4F698
N, xrefs: 00007FF848F4F6D3
k, xrefs: 00007FF848F4FD44

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f4f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: N$k$}
API String ID: 0-2507137466
Opcode ID: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction ID: ea72642dc55be09d665735e0f5fa3b8800973ae9f46bb6f066aee6b7c9174124
Opcode Fuzzy Hash: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction Fuzzy Hash: 2D21B570D096298FEBA4EF14C8947E9B7B1FB64751F1001EAD44DA6281DB386BC0CF84

Function 00007FF848F4122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F4129D

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 76ec6ca98487a20152373dfd0d730ee517107cca092f176103b03df8d14731b1
Instruction ID: f6d825ecc06bdc91a0fd95379c4cf0378dd2675d09cb00b96516c33c2943c096
Opcode Fuzzy Hash: 76ec6ca98487a20152373dfd0d730ee517107cca092f176103b03df8d14731b1
Instruction Fuzzy Hash: 8D11B270D0DA6E8FEB59EB68C4592B97BE0FF69751F0001BBD40AE61D2EF256580C710

Function 00007FF848F41240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F4129D

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 018d406f6782351bdb6ea2db352d05859676912bb2409cfde58dc52cf1785548
Instruction ID: 4a252e746d29a85c6f1b13c62e2613f5a9ab45c6c0c14b1d3e7bbcbd1593848c
Opcode Fuzzy Hash: 018d406f6782351bdb6ea2db352d05859676912bb2409cfde58dc52cf1785548
Instruction Fuzzy Hash: 6EF0F430D0DA6F8EEB98AB6898093FA77E0FF66651F00017BD80DD20C1EF341290C250

Function 00007FF848F4F213 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

k, xrefs: 00007FF848F4FD44

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f4f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction ID: c7c112146979720216b01f56a43a4285700139826e7433abe802917f748bc6b5
Opcode Fuzzy Hash: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction Fuzzy Hash: A6019270D096698FEB64EF58C9847E9B6B1EB64751F1041EAE40DE6281DB386BC0CF44

Function 00007FF848F51961 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848F5189D

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 508e18294b27f1b942a0e516232ed8779d39b29b194ca1030a0c831dce4a7aab
Instruction ID: 1fa503b4d9a298b1b242584e580a67c1730abada78a8e6c0eb37627d47e6b120
Opcode Fuzzy Hash: 508e18294b27f1b942a0e516232ed8779d39b29b194ca1030a0c831dce4a7aab
Instruction Fuzzy Hash: C5F05E3090820ACFEB24EF40C4947FDB7B1EB11355F200239C0199B2D1DBB86584DF48

Function 00007FF848F5388B Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73925ace50cf7c845c614dd17dafc8779fcf448cab71c8f293b317da693896a
Instruction ID: d00681a6c17c8d3659c7e3634de69a386051ee66cf6823701721220928b76d8f
Opcode Fuzzy Hash: d73925ace50cf7c845c614dd17dafc8779fcf448cab71c8f293b317da693896a
Instruction Fuzzy Hash: D2112C3190E69A9EE742AB6888595A9BBF0FF16341F4804B6D448CB0A3DA28A5448752

Function 00007FF848F53E2F Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50bc4f659ea68296b64718cace09f58c0d0e84ff0cebeffe6af08b4d218653a1
Instruction ID: e42f15f380c1787adff46832e5f946348a753bad491cea98c244b7c4db9556e3
Opcode Fuzzy Hash: 50bc4f659ea68296b64718cace09f58c0d0e84ff0cebeffe6af08b4d218653a1
Instruction Fuzzy Hash: 27810933A1E5565EE741BB7CB8451E97BA0FF413B9F0447B7D188CE083DE1C604686A8

Function 00007FF848F41748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb74f40158fdfeb4e5934ab981e2be3d78874ee303870bf399258231fff71a2
Instruction ID: ad46f348b80e19a886b011fee0b504a73cbc4069c2885c89c796cea61dff275a
Opcode Fuzzy Hash: 6cb74f40158fdfeb4e5934ab981e2be3d78874ee303870bf399258231fff71a2
Instruction Fuzzy Hash: B181CC31A0CA598FDB98EF1C98516A977E2FFA8B50F14017AD44DD32C6CF34AC428785

Function 00007FF848F42285 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f519c7e6ec4d597a16a88a9f3c273810d9bcf334ec0d5f4ab78122fa469b3c
Instruction ID: 2629d802ec002f16dfae2e749387f7e9f18806f533d869d551ebe957ed2fd6bf
Opcode Fuzzy Hash: 84f519c7e6ec4d597a16a88a9f3c273810d9bcf334ec0d5f4ab78122fa469b3c
Instruction Fuzzy Hash: E6816C30C0C6298EEBA4EB64C8557B9B7B0FF65740F1041BAC44EA62D2DF782A85CF54

Function 00007FF848F53ED3 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb04c97eb2ee410541cad1ee4ff6655e3cfeb7a9f11daba4847d633c34ca72a
Instruction ID: b626c4fb296857437e3b22bfe440a549802bf13b2841f28049826dd05c299717
Opcode Fuzzy Hash: cfb04c97eb2ee410541cad1ee4ff6655e3cfeb7a9f11daba4847d633c34ca72a
Instruction Fuzzy Hash: 64511873A1E5565EE701BB6CBC451E9BBA0FF413B9F4406B7D548CA083DA1C604A83A4

Function 00007FF848F41D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d10585b41e6d7c3f83bd6126fd4a269ef72423f158b26369a390543e2ac2ef
Instruction ID: a0ee9821e37af45213c198d41fe08690ec174f4f4302e4ff9353929bb749b82c
Opcode Fuzzy Hash: 17d10585b41e6d7c3f83bd6126fd4a269ef72423f158b26369a390543e2ac2ef
Instruction Fuzzy Hash: 0151DF31A0CA994FDB48EF1888555BA77E2FFA8B54F14427ED44AD3282CF35E842C785

Function 00007FF848F4B3D0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8557eaf084bf026f6af83901258f54a83357b401c29015b671526f7552d468d
Instruction ID: d7b405df882de454a43e88aaf19a3d6e898ad1d32db647856ab9aed078f0d6f7
Opcode Fuzzy Hash: f8557eaf084bf026f6af83901258f54a83357b401c29015b671526f7552d468d
Instruction Fuzzy Hash: 61510631D1D9869FE741BBB858590F9BBE0FF21754F0801B7C0889B0E3EE2864568359

Function 00007FF848F43235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8750e3fd1ef765439e4a1b9da06279222f24ac0c6836fae45716293ac2f80ce
Instruction ID: cc5fc75e5a6a5d20296080225923e7c5a61638a09e04af841d213d12e550a0a8
Opcode Fuzzy Hash: d8750e3fd1ef765439e4a1b9da06279222f24ac0c6836fae45716293ac2f80ce
Instruction Fuzzy Hash: 1C511370D0850E8EEB54EBA8C498AFDBBB1EF68740F10007AD40AE72D2DB786944CB54

Function 00007FF848F42155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9dc602232a39eb18207ff1cad8044b0a1cb74034a4521c2c3886dc9d45e464
Instruction ID: 9ce296c6df1980644f13c17dbe2371ae22b6ac4685daf0ec5ef371be22dab51b
Opcode Fuzzy Hash: cb9dc602232a39eb18207ff1cad8044b0a1cb74034a4521c2c3886dc9d45e464
Instruction Fuzzy Hash: FA412731E0D64A4FE745E77894551B9BBE1EFA6B80F0440B7D40DD71E2DF28A8818369

Function 00007FF848F52EA6 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28519463a884fd09516b4bc66c67fdf07801e67f27a4971050ed95f0dbb1b69a
Instruction ID: 7084a212714ba05abdf9ab85c2e6fe4c32739f405f2f53f78580c475026fbd15
Opcode Fuzzy Hash: 28519463a884fd09516b4bc66c67fdf07801e67f27a4971050ed95f0dbb1b69a
Instruction Fuzzy Hash: BD41C870D0891D9FEBA4FB68C8547ACB7B1FB69340F5041AAC00DE3292DF386A858F54

Function 00007FF848F53FD3 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1dd8fbfae951ea6eb2985fc92c004c54b62697d0471a141c7ec8903a60fc63
Instruction ID: 5e9d4bbd3f8daf35252ef97b1b98feecdf65fef438b0dd9499349774038b31ce
Opcode Fuzzy Hash: 5f1dd8fbfae951ea6eb2985fc92c004c54b62697d0471a141c7ec8903a60fc63
Instruction Fuzzy Hash: 0A213773A0E69A4FF711BB2CA8691E9BFA0FF423A5F0405B7C588CA0D3DB285449C355

Function 00007FF848F4B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b148169c3c15bedcc1a221495785e7bbbbdc8c35f9acc8b37e24df907b0c80c5
Instruction ID: d785fe51015fb8f5c9e3a834262ce303a1c5136a9188697340576a1a1c4fbf0d
Opcode Fuzzy Hash: b148169c3c15bedcc1a221495785e7bbbbdc8c35f9acc8b37e24df907b0c80c5
Instruction Fuzzy Hash: 73313A71D1C6598FEB58EF98D8546ECBBF0FF68751F1002BAD009A32D2DB3819458B18

Function 00007FF848F523ED Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a807295add215fd49ab6126b6d7d29c1fd936fbbd88a195f7c19e6d6c137d3de
Instruction ID: d0eec47232fc8e7b63292276f73ca3248f7f7482f14a90c541b9d4c62c0c4164
Opcode Fuzzy Hash: a807295add215fd49ab6126b6d7d29c1fd936fbbd88a195f7c19e6d6c137d3de
Instruction Fuzzy Hash: CD314C70D0C60A8FEB54EBA4C4447EDBBF0EF18351F14067AD009E62D3EB78A9848B94

Function 00007FF848F4330A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355930864f2ca16e91121fb9059e6398508aa179a3fd2510a6f32d22e2025468
Instruction ID: c03682994d4319fcbc8a8c1059ce059d02baaa4b7adac94fd40d858bff45eddc
Opcode Fuzzy Hash: 355930864f2ca16e91121fb9059e6398508aa179a3fd2510a6f32d22e2025468
Instruction Fuzzy Hash: 4A219F71D1851D8EEB58EBA8C494AFCBBB1EF68741F10007AD40AE7296DB786881CB54

Function 00007FF848F43440 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4632a505c0d000aa03c2c57a50a286b12ce54329ba734c4a173467a19e0e8e23
Instruction ID: cd263a1a746053f154bc5849fcd6f04160c77ec8c5ca292449f8a4a74ef08d27
Opcode Fuzzy Hash: 4632a505c0d000aa03c2c57a50a286b12ce54329ba734c4a173467a19e0e8e23
Instruction Fuzzy Hash: EA214C3084D78A9FD743EB7888586E97FF4EF1A350F0904EBD445CB0A2DB689455C721

Function 00007FF848F40A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf428bec7ed47ad50537e6f5efd9f08ca2e569a30e538c45377ca4f4c27053b8
Instruction ID: ce704b68379386e6f1bf2770d85d6c1be8ca4a09da8a55dd94cddd11dc986106
Opcode Fuzzy Hash: cf428bec7ed47ad50537e6f5efd9f08ca2e569a30e538c45377ca4f4c27053b8
Instruction Fuzzy Hash: DF115B3191854E9FE780FB68C8491B97BE0FFA8790F4005B6D818E6192EF78A5448740

Function 00007FF848F57221 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7570d608475abb9f230c7322e7d5e7dd5bc1c5c9eecbccd0836e4bd867e0501
Instruction ID: c21218ef7092ea89f6de9255040c7e5359449f36e29e0079795e0a46d9d6882b
Opcode Fuzzy Hash: f7570d608475abb9f230c7322e7d5e7dd5bc1c5c9eecbccd0836e4bd867e0501
Instruction Fuzzy Hash: A3117F30D0CA4E9FEB99EF2884592B9BBE0FF69341F0405BEE409C25D2DB39A444CB55

Function 00007FF848F54C85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd394c95a01855b869879dbdebf39ffbf1fd1dda5a44a85d4fa5fdb6795fa9b
Instruction ID: 578c698f84af1721865d0c54d95c723b554c04190bc3e24799d0d930711d5b44
Opcode Fuzzy Hash: 9bd394c95a01855b869879dbdebf39ffbf1fd1dda5a44a85d4fa5fdb6795fa9b
Instruction Fuzzy Hash: B211A27090CA9E9FDB49EF2884692BDBBA0FF69341F1405BED419C71D2DB396480C741

Function 00007FF848F52951 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1608ed5ede7db821a2e371f835fcc45f9c2282e9495a3b98895ed74870397b9
Instruction ID: 23360b5d72d8cf0f3d2a4320610fd67325486e3fd94d9f2075bee6b147987a96
Opcode Fuzzy Hash: d1608ed5ede7db821a2e371f835fcc45f9c2282e9495a3b98895ed74870397b9
Instruction Fuzzy Hash: 16116A7090C6898FDB48EF18C4951ADBBE1FF59354F5102AEE84A83286DB34A440CB85

Function 00007FF848F572C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ae46e4ad753bf3ae5fd6cd326ab0e03b77d8e16b433a96b947e88d373dcf73
Instruction ID: b2058b179768866bd44c478d22926bd0a84befcdba36da9469b2e4d63f4719cd
Opcode Fuzzy Hash: 11ae46e4ad753bf3ae5fd6cd326ab0e03b77d8e16b433a96b947e88d373dcf73
Instruction Fuzzy Hash: 9811BE3090DA4E8FEB99EF28845A2BDBBE0FF68351F0045BAD409C21D2DB38A444C744

Function 00007FF848F57365 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c226e073a867dd625968f387836ca237a94b7932e41717a012d35726394138c0
Instruction ID: 4e761b3016da8fd8f3b79ceadb39cafe00293d47eb2820e337f3ad08fc143007
Opcode Fuzzy Hash: c226e073a867dd625968f387836ca237a94b7932e41717a012d35726394138c0
Instruction Fuzzy Hash: 5111D031C0DA8A8FE759EB2484562B8BBA0FF15350F0440BAC80DC24D3DB286404C709

Function 00007FF848F55125 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1595293ddb46876dae8650df9761ef333205d66d2365ecb975940db2b15aab
Instruction ID: 0b6879b4af38e27a582dd486e4d9dc0f17a1e716dab0b4a459c6688bba88632c
Opcode Fuzzy Hash: 7a1595293ddb46876dae8650df9761ef333205d66d2365ecb975940db2b15aab
Instruction Fuzzy Hash: B411C431D0DA898FE759EB6498A92B8BFA0FF19344F0400BED00DC65D3DB296444C745

Function 00007FF848F54BE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c02e48f85ba722aebe9c6acb19f74d094e0ddb930a0969fe4f421a0000aaf3c0
Instruction ID: a692b79cd9149ef3074d7fe9564f88f174de4b50cfb9a33cbcb3db93d9c8a3c7
Opcode Fuzzy Hash: c02e48f85ba722aebe9c6acb19f74d094e0ddb930a0969fe4f421a0000aaf3c0
Instruction Fuzzy Hash: 1521A27090D69E9FDB89EF2884692B9BBA0FF69341F0405BBD409C71D2DB386444C741

Function 00007FF848F435D1 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db477a29bd0e80b7dc4275a67e478036a4d635b3bedd4a5a277e8a5db4868bb2
Instruction ID: 380596d186a9a055665a84df9e20b87b2aef72f95ccff394e86a73cc48db93c4
Opcode Fuzzy Hash: db477a29bd0e80b7dc4275a67e478036a4d635b3bedd4a5a277e8a5db4868bb2
Instruction Fuzzy Hash: 5E117C3090D68E8FEB44EF288459ABDBBA0FF28741F4005BBD41AD72D1EB35A040CB04

Function 00007FF848F55499 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d18fbd6ddb3476d9501cfea8f7f0bc19e9c542f06428ef9ffca60a7a83f4be
Instruction ID: 24c058015caf13bc5cb663fae64e08630cb1cb1104b91df6dd2defff0b786995
Opcode Fuzzy Hash: e7d18fbd6ddb3476d9501cfea8f7f0bc19e9c542f06428ef9ffca60a7a83f4be
Instruction Fuzzy Hash: 62116D3190DA8A9FEB95EB64C8692BDBBE0FF29341F0404BAD409C71D3DB386454C701

Function 00007FF848F52D61 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d02c594c3d43d08ef159cba5e5f7387905b81cc1b73005f89458f5acd291844
Instruction ID: 72359f0d289107fee7e4a6053ed3abfa627b9be9f9bf5b72a3d436dbbef464b1
Opcode Fuzzy Hash: 7d02c594c3d43d08ef159cba5e5f7387905b81cc1b73005f89458f5acd291844
Instruction Fuzzy Hash: DF116D7180C59E9FEB92FBA8848C6F9BFE0FF59341F0449B6D408C6096EB78A1858745

Function 00007FF848F573FD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d874b7f6108abdb7bc36c34dc9cb48c875dc1d762f43d359f9c2035f558444d
Instruction ID: f33e7652d08526a82dbe6d46a6bcd881fa8559556d0271af3a0e3f8dfd2d8db0
Opcode Fuzzy Hash: 4d874b7f6108abdb7bc36c34dc9cb48c875dc1d762f43d359f9c2035f558444d
Instruction Fuzzy Hash: 4F11BC7090DA8A9FEB59EB64C45A2BABFA0FF68340F0401BED40AC61D3DB29A554C745

Function 00007FF848F5524D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f903a6dcca4da9a44a7233cd97dcfe8606c7c9125bbbc8a324992805ddc260b7
Instruction ID: ed1962964977007d6fd7e16614fd5aca957d7dabe2970b9622ed587008c64cf4
Opcode Fuzzy Hash: f903a6dcca4da9a44a7233cd97dcfe8606c7c9125bbbc8a324992805ddc260b7
Instruction Fuzzy Hash: 95119A3080D68A8FEB89EB2488592BDBBA0FF29340F0405BAC409D61C3DF39A5848711

Function 00007FF848F51311 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c66df8c08d83f46a64f6b1b8290033a27dc4ae83b8fa2fa629bdbc6219ebf0a
Instruction ID: ddce6fee9135bc925b9700413bd8b0e6da94260df0edb4b0cc95366b77b2d4f0
Opcode Fuzzy Hash: 8c66df8c08d83f46a64f6b1b8290033a27dc4ae83b8fa2fa629bdbc6219ebf0a
Instruction Fuzzy Hash: E7118B7090DA8E8FEB85EB2488682BDBBE0FF28305F5404BED419C6592EB34A580C700

Function 00007FF848F57941 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed3bbebc117278be59b22a6a162f58e0d28806d5b1f8b36905aa568f17361b0
Instruction ID: 7211992e83fce84dbceaca30bac30749deb1590f11e3ba1b57db75cfdd8381dd
Opcode Fuzzy Hash: aed3bbebc117278be59b22a6a162f58e0d28806d5b1f8b36905aa568f17361b0
Instruction Fuzzy Hash: EA115E3190D94A9FE751FB78C8486AABBF4FF1A351F0404B6D419C7092EB38A544C765

Function 00007FF848F56539 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188962809e77f7ea4b19ce0857fb0b736a712aa680675f155156ce3dc8f035cb
Instruction ID: b22a6a2040e92b4f4660247f920dc45660b569514ebc8fb80a7ea052dd4edcd6
Opcode Fuzzy Hash: 188962809e77f7ea4b19ce0857fb0b736a712aa680675f155156ce3dc8f035cb
Instruction Fuzzy Hash: D7118C3080D68A9FE782FB6888596A9BBF0FF19381F0505F6D418C7097EB28A584C715

Function 00007FF848F5540D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcfd0507212aefd3bb362741241078b3f4691c997a05a6fc34edfa187afb5043
Instruction ID: 64798174c478b11cedfcced2267fa2164264431d41a73e93a567037d0803e74b
Opcode Fuzzy Hash: bcfd0507212aefd3bb362741241078b3f4691c997a05a6fc34edfa187afb5043
Instruction Fuzzy Hash: 20118C3080DA8A9FEB49EB24C8696BDBBA0FF18345F4404BAD419C65D3DB29A554CB41

Function 00007FF848F4B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2c7dcc7980d9c0b9f93df945c0aade319fa4704525271eb4df37fea0b9ec5c
Instruction ID: 08425d32cf6bed96dd93311c9bb91ac88ac307b50fe8a94a0b7643045a0cb560
Opcode Fuzzy Hash: 5d2c7dcc7980d9c0b9f93df945c0aade319fa4704525271eb4df37fea0b9ec5c
Instruction Fuzzy Hash: 27112E71C1D55A8EEB59EBA8D8557EDBAF0FF28740F1401BBD00DA22C2DB3859858B18

Function 00007FF848F4AC21 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a2bf04141c7224a586d9e4bae3af0b039b6c3259724ecc7d8a3f2ff942b6ae
Instruction ID: d2d1ec56e1b55db3b2d95d7b6fa589f3e6a7d90142dda2c06d564f90bc350147
Opcode Fuzzy Hash: 76a2bf04141c7224a586d9e4bae3af0b039b6c3259724ecc7d8a3f2ff942b6ae
Instruction Fuzzy Hash: 6201783081D64A8FE782FB2498486A97BE4FF29341F4504B7D808D71A2EB34E5808704

Function 00007FF848F4FF3E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f4f000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c559040e4e12175d87165e0fb502049d5b2450907ade31de1bd0a4ec7ce1d49
Instruction ID: 30dfb614f280ed74111bb2c38032bf3829e69fbd0fb8f7f52014e2c75f680999
Opcode Fuzzy Hash: 9c559040e4e12175d87165e0fb502049d5b2450907ade31de1bd0a4ec7ce1d49
Instruction Fuzzy Hash: E411C970D19A698FDB98EF288C597AAB7F1FB54642F4002FAC00DE3291DF3569858F04

Function 00007FF848F5266A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd77cc9d11112d21e98833f516dd9d27da038491a9f571a9d85656a9214fd5b
Instruction ID: 77cde005d434d7c87401996b23e3f231c5eaa425c6fd76e26643de05d23d0e7c
Opcode Fuzzy Hash: 9cd77cc9d11112d21e98833f516dd9d27da038491a9f571a9d85656a9214fd5b
Instruction Fuzzy Hash: 41010C3090C54D8FEB58EB94D455AECB7A1FF68351F140639D00AE72C6EF78A4418B04

Function 00007FF848F405D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0b866fb7e2fbf4a3885a68111f807505c7822301a929a18bf1a3677f7a12fc
Instruction ID: 428990524cda59178b811a5465e9d553f06cb1cd6e49fbbb87bcd357bb5d2fd5
Opcode Fuzzy Hash: aa0b866fb7e2fbf4a3885a68111f807505c7822301a929a18bf1a3677f7a12fc
Instruction Fuzzy Hash: E9018C3090851E8FEB48EF24C4586BA77A1FF68345F60047AD40ED21C0DB36A590CB44

Function 00007FF848F42F41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270e4ab377d0deedb0fe980987db4072b9809f4a46e50cc7770f8b1237a889c7
Instruction ID: 7e5369a307b388fe23cec978ab439fb7ff13ff95d137698097d3417d9cce070e
Opcode Fuzzy Hash: 270e4ab377d0deedb0fe980987db4072b9809f4a46e50cc7770f8b1237a889c7
Instruction Fuzzy Hash: D001DF30A0C68E8FE751FB64844D1A9BBE0FF29350F4504B7D408D60D6EB34E0408704

Function 00007FF848F57E49 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01e27ebd3ec7eaf097e519c0401eaf2ab47a8ca66221403a8f29499c7fba1ccb
Instruction ID: ae76be6ee4fe9300e6fc7131393aa6836cf1d0526614238278b0ff0f8a012a2b
Opcode Fuzzy Hash: 01e27ebd3ec7eaf097e519c0401eaf2ab47a8ca66221403a8f29499c7fba1ccb
Instruction Fuzzy Hash: 81115B3080D6898FDB59EF24C8686BDBBB0FF19341F4504BAD41AC61D2EB79AA14C714

Function 00007FF848F58165 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4272eba6cd80f7e5ebe2242808b0f5ef98666a5427e38887340dd66a26a2867
Instruction ID: 2ecf05f0999c5f686d8b384266ee05d0040afd4f88e7f33cd203759f92368b45
Opcode Fuzzy Hash: a4272eba6cd80f7e5ebe2242808b0f5ef98666a5427e38887340dd66a26a2867
Instruction Fuzzy Hash: F701BC3086D6898FEB49EB24C4596BABBA0FF19345F5408BED40AC64D3DF35A550C740

Function 00007FF848F527E1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e53419e158415003b4b71be1b306763f4cc201c5699bbe179452461659c2ae
Instruction ID: c9870713da34da01d6336d6953a1739f32a4adf5d6bb9b3335a51b674671e203
Opcode Fuzzy Hash: f0e53419e158415003b4b71be1b306763f4cc201c5699bbe179452461659c2ae
Instruction Fuzzy Hash: D9019E3080D6894FDB59EBA484596B9BBA0FF19345F2505BED40AC60D3DB35A540C781

Function 00007FF848F58089 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4bb85a880a0e90daed7f6e6d168528b4c74ced7e725489b7380d9144aaba490
Instruction ID: c7b4b2f6beb1f8347cd16206203dad2110d46ed0bba25cd532a2b34249afeb99
Opcode Fuzzy Hash: b4bb85a880a0e90daed7f6e6d168528b4c74ced7e725489b7380d9144aaba490
Instruction Fuzzy Hash: 0A01803085D7898FDB4AAB34C4692BABFA0EF16340F4508FAD40AC74D3DB25A554C711

Function 00007FF848F4291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147003f87df2a0dd39c821314bc87a9f6954ac1713515e329d174564cbbcb102
Instruction ID: 05c5ca5a33eb2a9471ca9e1220da13cb92d486fc2fe78168bae2b7c770f7b7f1
Opcode Fuzzy Hash: 147003f87df2a0dd39c821314bc87a9f6954ac1713515e329d174564cbbcb102
Instruction Fuzzy Hash: 7101963190C64E8EE781BB6888486B97AE0EF69740F4505B6D408D60A2EB38A0808704

Function 00007FF848F57AC9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2553b3073db23d5a3303942e61df61940ba9e47fd417b35cec4c751095e93ae8
Instruction ID: 16bb6b205e835aec40ce93f1bfad83f6127e1033ee82a063d36c2eaa2acfc940
Opcode Fuzzy Hash: 2553b3073db23d5a3303942e61df61940ba9e47fd417b35cec4c751095e93ae8
Instruction Fuzzy Hash: B6018430D5DA899FE752FB3484591B9BBE0FF19350F4508B6D409C60E7EF28A5448705

Function 00007FF848F42449 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction ID: bb55120bf903cb77a8f3ef1f9cf8671f2e84d02e252ad98b749118a7e09f7860
Opcode Fuzzy Hash: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction Fuzzy Hash: 5611E870D08129CEEB64EF54C8457EDB6B0EF61740F1001BAD44EA62D2DB786A84CF44

Function 00007FF848F41CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22f8a395fe8314da7ff96e0d20ee9ef63739a3ce7d6163f02ca13fa816b476d
Instruction ID: 8f5df256a33d428ad6c78259e564bdb2f8ed9c663f9fabfcae9b32a4073f6410
Opcode Fuzzy Hash: d22f8a395fe8314da7ff96e0d20ee9ef63739a3ce7d6163f02ca13fa816b476d
Instruction Fuzzy Hash: CB01D13084D69E8FEB88EF2488552FA3BA0EF65700F50007AE809D21C1DB359890C744

Function 00007FF848F47710 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 527a73b4226f12e82ef69ba15687c43891cad484845afce45a93c659b984b8c8
Instruction ID: 5a226d7bcffbebf0e77ca71c3f79504a657a3d0a0128a5ca61942c17ccb9756c
Opcode Fuzzy Hash: 527a73b4226f12e82ef69ba15687c43891cad484845afce45a93c659b984b8c8
Instruction Fuzzy Hash: F2112A70D0C6598FEB64DB54C850BA9B3B1EB64750F1481FBC40EA6281DB786AC6CF68

Function 00007FF848F42FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6938bbadf2ef2a44f2056e75eb34d79ca578bf0e55546000e69690931436569
Instruction ID: 6964ba75c6e7396a4f96fb219375d37928242bcfacc7e098a1daa1495e1ea20f
Opcode Fuzzy Hash: c6938bbadf2ef2a44f2056e75eb34d79ca578bf0e55546000e69690931436569
Instruction Fuzzy Hash: C8017C3090D6895FE752BB6888596A97BE0EF69350F4509F3D409D70E6EB38A4448711

Function 00007FF848F544BC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction ID: b04b4016389ea821ef26bd236741c4f395c33cd3f0c08a584d34887a3c725ae5
Opcode Fuzzy Hash: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction Fuzzy Hash: 411139B0D09529CFEB50EF98C9482EDF7F1AF94342F604179D008E22D6DB386A85DB84

Function 00007FF848F40608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6eda84fb79acde6e1b9db582842bb004abbd04ca936e945bed8bf30860df5e2
Instruction ID: 7fb6b2eebed5c711c72f587518549c2e8ce4436d2cc255e1e12f82b56a509fbc
Opcode Fuzzy Hash: d6eda84fb79acde6e1b9db582842bb004abbd04ca936e945bed8bf30860df5e2
Instruction Fuzzy Hash: AC016930858A0E9EEB49FFA484582BD77A0FF68345F20087FE40ED21D1DF35A190C604

Function 00007FF848F40610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2ada1688e53ff7be21ec080b1a29b7e2e1e56fd01884127932d53b7569b527
Instruction ID: 5e88cbe66c243e1d20f0b6ddb497c819eba1624be41a072ddaa3649d1a1809ce
Opcode Fuzzy Hash: bb2ada1688e53ff7be21ec080b1a29b7e2e1e56fd01884127932d53b7569b527
Instruction Fuzzy Hash: 5201193091960E9EEB59FBA484596BDB7A0FF28345F6008BFE40ED21D1DF39A590C714

Function 00007FF848F4B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a324e03e84022207ab35756894c40a83bbcc209db510942f5fb88dfa5ec9fb1
Instruction ID: 932b60be410b599c59cb49b942b5a29002315b2167d39538b54696708a23342c
Opcode Fuzzy Hash: 4a324e03e84022207ab35756894c40a83bbcc209db510942f5fb88dfa5ec9fb1
Instruction Fuzzy Hash: BEF04F3092C50E9EE751FBB888495B9BAE0EF28742F0408B3D419E20A3EF74A1948604

Function 00007FF848F405D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581362d1e516f53eb7fa5a09ff696c624fbcf1ae3d09415dc65dd8fe5aa0d8df
Instruction ID: 41451cda0a68a1c9c59aa9a7df6e152b22d4b4bb06717af9d66d04bd9cc6fcbb
Opcode Fuzzy Hash: 581362d1e516f53eb7fa5a09ff696c624fbcf1ae3d09415dc65dd8fe5aa0d8df
Instruction Fuzzy Hash: 69F0623095D65E8FEB44EF2898552FA77A4EF25348F50047BE80DD21C1DB39A5E0C788

Function 00007FF848F443A8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8acfe2b743ffe271b962ccfdd2c77c5c53949b82c7718718b5ce46db9bb0a437
Instruction ID: 5995e9c6656562de12c1afb0dcbe2c51ba1a2949214e5db5c939e0b6615efca8
Opcode Fuzzy Hash: 8acfe2b743ffe271b962ccfdd2c77c5c53949b82c7718718b5ce46db9bb0a437
Instruction Fuzzy Hash: 01010C74D085698FEB64EF14C8507A9B3B1EB68750F1481EBC40EB7280DB346AC5CF54

Function 00007FF848F42839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55229157b559baaa19760b8b163929814cf6e06dc35298003e3bde2c725228ee
Instruction ID: e45a7af92f177d61dcba0538adf9494e7fdb7f9407aeeb7d890dd8df57214222
Opcode Fuzzy Hash: 55229157b559baaa19760b8b163929814cf6e06dc35298003e3bde2c725228ee
Instruction Fuzzy Hash: 2CF0C23080E7C98FDB5AAF6088182AD3F60EF66641F0504BBD448C60E2EB389454C301

Function 00007FF848F428AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67585659a9981740068fdb440c14472ba1f215c859d6d3081c516d8e74f09405
Instruction ID: f37616314363953dee55f90b031fab17086147822e6ddf67bfc3208f6f142453
Opcode Fuzzy Hash: 67585659a9981740068fdb440c14472ba1f215c859d6d3081c516d8e74f09405
Instruction Fuzzy Hash: A7F0943180E68E8FEB59AFA488592BD3BA0FF25741F5014BBE809C21D2EB38A450C700

Function 00007FF848F51330 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e18b44309b52b477a1b7e9ac27709df02d6817ac16ad634e1ae29eb55a5a143e
Instruction ID: 6b9e61581ed994c0d0d90a3d226bf416e0f53022e4291e4471226f91dc0e558f
Opcode Fuzzy Hash: e18b44309b52b477a1b7e9ac27709df02d6817ac16ad634e1ae29eb55a5a143e
Instruction Fuzzy Hash: 25F0FE70918A4E8FEF84EF6498182FEB7A4FF18305F40053AE81DD2591EB34A694C744

Function 00007FF848F4B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bebd77629e9af722cef41dc4b9d6d06912abc638cdaeb04717cb8287d02a46
Instruction ID: f1463cb7ad9d9407a31182639013a00c8486bb3d9a9f87efe153d7037ba0eb2c
Opcode Fuzzy Hash: d6bebd77629e9af722cef41dc4b9d6d06912abc638cdaeb04717cb8287d02a46
Instruction Fuzzy Hash: 55F0E23180E3C24FD312ABA89CA11F93B709F62695F0A01F3C048DA0E3EB2C98488385

Function 00007FF848F4BE37 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab1c8e53149a2f7f42905f3ba251394445bcc267a45162c2ba4c0eb2f87c2e2
Instruction ID: cccba25beced963d1d02a616ffd48d0f92336d66c7b0105a298cb35645a7932d
Opcode Fuzzy Hash: dab1c8e53149a2f7f42905f3ba251394445bcc267a45162c2ba4c0eb2f87c2e2
Instruction Fuzzy Hash: 22F0C430C1851E8EEBA0FB68C8443ACB6B1FF58340F4041F6900DF22A2DF752AC08B08

Function 00007FF848F4B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de8295e94af3804d3e7e43d90c4329a4c7e9fcc6c5894ef88bf5363290c39fe
Instruction ID: 1bc30e387269e57f88ae32e873d0728ae39066fe9b098a8e392e1d2253de695f
Opcode Fuzzy Hash: 7de8295e94af3804d3e7e43d90c4329a4c7e9fcc6c5894ef88bf5363290c39fe
Instruction Fuzzy Hash: ACE0D83181D1479EE310F7AC68E01FA33A0DF50699F140637C05C550D3EF5C90440188

Function 00007FF848F40FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f40000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb63af831c8e188b94a760b04edd418069fd31f6e40e64e4e36950a43e4b4189
Instruction ID: 0ee4226e6f85a2503727603de613d4684010997169f458007a6ef7bebc63a470
Opcode Fuzzy Hash: fb63af831c8e188b94a760b04edd418069fd31f6e40e64e4e36950a43e4b4189
Instruction Fuzzy Hash: 48E0B63091A5198AEB90EB148840BAEA6B1EF54344F5041A5D00DB3282CE3869854B58

Function 00007FF848F5589B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F51000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F51000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f51000_fontdrvhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e1c4a8207af5abd77bcea9a793d19cd70c2afd806e65bcce1cb45ddedab61c
Instruction ID: 6eef1edface518d37d3bbfcbe75b98425573d0e3a23f00f0de2c9846c4cef02e
Opcode Fuzzy Hash: 98e1c4a8207af5abd77bcea9a793d19cd70c2afd806e65bcce1cb45ddedab61c
Instruction Fuzzy Hash: 6FD0C971D19A199FEB94FB18948D2A8B7E0FB98645F40006BD408D7186DF2064018B05

Non-executed Functions

Function 00007FF848F4FC47 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

{, xrefs: 00007FF848F4FC5B
O, xrefs: 00007FF848F4FC68
N, xrefs: 00007FF848F4F6D3
k, xrefs: 00007FF848F4FD44

Memory Dump Source

Source File: 00000009.00000002.2166986966.00007FF848F4F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F4F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff848f4f000_fontdrvhost.jbxd

Similarity

API ID:
String ID: N$O$k${
API String ID: 0-2452294744
Opcode ID: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction ID: b712fe8158a04222152e1e5549aefdf1b9842195190f31f7df4accc858719e4f
Opcode Fuzzy Hash: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction Fuzzy Hash: 2801FB70D0826A8FEB249F10C8443E977B1FB64755F0001EAD80DA62C5DB786AC0CF44

Analysis Process: ctfmon.exePID: 6496, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F23655 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

M_H, xrefs: 00007FF848F2386E

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID: M_H
API String ID: 0-372873180
Opcode ID: 7442923c4d0fe2ad427e65d125db12fb20d43f2c6afda2bb1b3caad7d3b6e646
Instruction ID: 466a22427a567dcbbe6b1c980455ecf933aa70ccf6430e68e8e1f733a6756007
Opcode Fuzzy Hash: 7442923c4d0fe2ad427e65d125db12fb20d43f2c6afda2bb1b3caad7d3b6e646
Instruction Fuzzy Hash: 4891AEB1D1D94E8FEB84EB2CD8587ADBFE1FB99350F5001BAC009D72D6DB6918018B05

Function 00007FF848F2F661 Relevance: 3.8, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

N, xrefs: 00007FF848F2F6D3
}, xrefs: 00007FF848F2F698
k, xrefs: 00007FF848F2FD44

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F2F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f2f000_ctfmon.jbxd

Similarity

API ID:
String ID: N$k$}
API String ID: 0-2507137466
Opcode ID: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction ID: 424ddf503572b0aab90b14351319db237614461f39eece3f4feb47e22a3e485c
Opcode Fuzzy Hash: a8f840184d4e8122aa1e0545587ce0d8b5fdb6163fe5ac1c1fe4153f33581054
Instruction Fuzzy Hash: 9F21B070D196298FDBA8EF14D8947E9B7B1FB58341F1001EAD44DA6281DB396BC0CF84

Function 00007FF848F2122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F2129D

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 1592041d27419281674b47473bd7236741ca6c3bab96d4b6bb79dd974747e6da
Instruction ID: df0e6b61140f6015e1c4253b8882ea2726eb36918d8958fcbe573ba3125d6449
Opcode Fuzzy Hash: 1592041d27419281674b47473bd7236741ca6c3bab96d4b6bb79dd974747e6da
Instruction Fuzzy Hash: 0E11B270D0D64A8FEB59EBA894592B97BE0FF59351F0001BAE409C60D1EF266484C714

Function 00007FF848F21240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F2129D

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 369bc3f4ba6055f42d87a26d67f1447a5788a501d8bc9af4729cbe0395e786c9
Instruction ID: 2d620bf0c82ad26064b15cf490c5b1e1bace7c78caf7c9f06d4c65fee9bb8194
Opcode Fuzzy Hash: 369bc3f4ba6055f42d87a26d67f1447a5788a501d8bc9af4729cbe0395e786c9
Instruction Fuzzy Hash: 3FF0FF70D0D65B8EEB98ABA8A8183FA77E4FF56351F00017AE809C20C0EF2421948268

Function 00007FF848F2F213 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

k, xrefs: 00007FF848F2FD44

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F2F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f2f000_ctfmon.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction ID: cae3e04b261211ea53d3ffe73e66f5c745a322da3be751ba43aa81c90bd65fbc
Opcode Fuzzy Hash: e48e1de832f94123ab1d07d137a1c69af2279bfec2f2b5738e421f2359c3318f
Instruction Fuzzy Hash: E1019270D196698FEB64EF18D8847E9B7B1FB54741F1041EAE409E6281DB386B80CF44

Function 00007FF848F31961 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

/, xrefs: 00007FF848F3189D

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f34b2d2be9457b202da7ee0ce6bd980fffb0ab3c610ab2f6d6b78f07408eb888
Instruction ID: 49f27c6a071771ae4896fb5c6aa1dd3e8a7e099d53936a47eae0138ed2ec80d7
Opcode Fuzzy Hash: f34b2d2be9457b202da7ee0ce6bd980fffb0ab3c610ab2f6d6b78f07408eb888
Instruction Fuzzy Hash: 0CF0343090830ACFEB28EF40C894AFD77B1EB10351F20023AD0199B2D0DBB86984DB48

Function 00007FF848F3388D Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1654101bd3447f84e9941a4373565dd008b03b38b728c499a28648ac230079f
Instruction ID: 734c1ed2aa43ee00efd24e4666c871b668d5d3f2244959920502b027d7fde9e6
Opcode Fuzzy Hash: a1654101bd3447f84e9941a4373565dd008b03b38b728c499a28648ac230079f
Instruction Fuzzy Hash: 05015231D0E7C99EE753A77898691A57FB0BF46240F0904F7D448CB0D3EA2855588312

Function 00007FF848F33868 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e5251248fdccec7dbf8706e2129c86cc6c6c0477a272bca8d98cb3aa8dbb30
Instruction ID: 7e5ecf0717b6197279716d1bedab53a8545852bff230a8587ff80603c6e4cdf3
Opcode Fuzzy Hash: 31e5251248fdccec7dbf8706e2129c86cc6c6c0477a272bca8d98cb3aa8dbb30
Instruction Fuzzy Hash: 16118E31D0E68A9EE752FB7898595BA7BE0FF05380F0505BBD448CB0D3EF28A5488356

Function 00007FF848F33E2F Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a7643c46eb2f6173cdadc60af4cb9d255b4628d0545f4f879c4bd883be4d68
Instruction ID: 79bebcba2ac6688c0d27b2ecbd10402726baf2505466ccd6103fd6fd8d9d1768
Opcode Fuzzy Hash: 49a7643c46eb2f6173cdadc60af4cb9d255b4628d0545f4f879c4bd883be4d68
Instruction Fuzzy Hash: AA812B33A1E45A9EE341BB7CB8155E97BA0EF513B9F0447B7D088CE093DE1C604586A8

Function 00007FF848F21748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09cd60e9723253e26b9fe33b13b8328af2a29282779a27f5446243a8138b1ea
Instruction ID: e9035efbc0e1769844ce0b4ebf5a2d75c00d77d0181b2a8ace3b753b25df813d
Opcode Fuzzy Hash: f09cd60e9723253e26b9fe33b13b8328af2a29282779a27f5446243a8138b1ea
Instruction Fuzzy Hash: C181ED31A0CA498FDB58EF5CA8516B977E2FF98340F14017AD45DC32C6CF35A8428789

Function 00007FF848F33ED3 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b380fb551149a46bf590bb15e85ced603624f43010c9ef90b4cafe9fddef71
Instruction ID: 92368fc6bac9d29ee6c8242f34aabde22f0857f7b2d8fa1eace7ff2986c61d9a
Opcode Fuzzy Hash: 56b380fb551149a46bf590bb15e85ced603624f43010c9ef90b4cafe9fddef71
Instruction Fuzzy Hash: F2517A73A1E49A8EE701B77CBC166E97BA0EF51379F4403B7D148CE083EE1C604686A4

Function 00007FF848F21D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384dc1affd54a89669b917a3d762898a433c80d1e26092a5e3d2d48a517a8f2
Instruction ID: bee04baa91c9612344252f0390342faea53ade4a456d6abe8077a6ccf44c8a83
Opcode Fuzzy Hash: 4384dc1affd54a89669b917a3d762898a433c80d1e26092a5e3d2d48a517a8f2
Instruction Fuzzy Hash: 9551F131A0CA998FDB48DF5898655BA73E2FF98340F14427ED45AC7286CF35E842C785

Function 00007FF848F2B3D0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a090fee72e3d77eaf19788fff8f02fe6c0775c156c5020147b93d4bfeb8034c
Instruction ID: 9c634c850073235c9783c6a5201c121dab20e6aca73315d6eaf62b1631b07378
Opcode Fuzzy Hash: 6a090fee72e3d77eaf19788fff8f02fe6c0775c156c5020147b93d4bfeb8034c
Instruction Fuzzy Hash: 3851F532D1D986DFE341BB7868994F9BBE0FF12354F0841B6C4888B0D3EE2A64568359

Function 00007FF848F23235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c7a9a10fc2830734a8c5e0cad74dff6645a52c4459e0e1b5e10b384898bb47
Instruction ID: 698283f9254fbb10974b11808d8e7f9ca62755bbc69d1896b169acdebe2f0852
Opcode Fuzzy Hash: 42c7a9a10fc2830734a8c5e0cad74dff6645a52c4459e0e1b5e10b384898bb47
Instruction Fuzzy Hash: 925127B0D0C60D8FEB54EBA8E4956EDBBB1EF58351F10007AD009E72E2DB39A944CB55

Function 00007FF848F22155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87b51d45511e9cce346c29465fc97917fc1597246c015d06bac1092264a140a
Instruction ID: dcd9d590209439a660cdb5ab7af53787b292357860ae0968b77cbd2de0b3d566
Opcode Fuzzy Hash: f87b51d45511e9cce346c29465fc97917fc1597246c015d06bac1092264a140a
Instruction Fuzzy Hash: DA412631E0D64A4FE755EB78A8565B9BBE1FF46380F0448B6D40CC71E2DF39A8418365

Function 00007FF848F32EA6 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91b44e23efd737e517b0c6442d5a125eefc3886474924792d20c9052d261f4f
Instruction ID: 0bb6ceead7171cd066d62f2e1c03b7216c4aac587ebded3d5db0311f607aba80
Opcode Fuzzy Hash: f91b44e23efd737e517b0c6442d5a125eefc3886474924792d20c9052d261f4f
Instruction Fuzzy Hash: 5841A470D0891D8EEBA4FB68D8557ACB7B1FB59341F5081AAC00DE32D2DF38A9858F54

Function 00007FF848F33FD3 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e56843486c878bcf58e91c1111c6b9ab316ac0b07be65b6f7575dccb3af67c8
Instruction ID: 68f0c3f21d443ef73ac73f666f4d1a388fbb1a4a717ff491086d3c8fc7ad3c48
Opcode Fuzzy Hash: 3e56843486c878bcf58e91c1111c6b9ab316ac0b07be65b6f7575dccb3af67c8
Instruction Fuzzy Hash: 9C21E572B0E68A4EE711B76CA8691F9BFA0FF62365F0402B7D588CB0D3DF2854488755

Function 00007FF848F2B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861224320db8ecdba809833eb3ea279827df113f7e5dda8450a2df2b30a68911
Instruction ID: 072f87938e68a556c3901f59ce0dcc78a8260ecd0fa1bd757dcddd676d99f7e5
Opcode Fuzzy Hash: 861224320db8ecdba809833eb3ea279827df113f7e5dda8450a2df2b30a68911
Instruction Fuzzy Hash: 76313871D1965ACFEB58EF98E8546ECB7F0FF58351F0002BAD409A32D1DB3919848B18

Function 00007FF848F323ED Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bdfbf279d13ff2748fa28c1dba4a257c9d94b35d6d67a3c94a8a487dc6fb0fe
Instruction ID: 6905b686bdfc7b98c44bf1159b78c8f91ca5b10d1c5d7edc9f32b09f70ffb496
Opcode Fuzzy Hash: 1bdfbf279d13ff2748fa28c1dba4a257c9d94b35d6d67a3c94a8a487dc6fb0fe
Instruction Fuzzy Hash: A7312B70D0C60E8FEB51EBA4D4587ED76F0EF18352F14057AD409E72D2EB78A9848B98

Function 00007FF848F2330A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f70e9ff4b0f45372b7b7d0c49b56a6235a59c70fdcbe11ed11d0b52d30a89f5
Instruction ID: 67f2a4c0df96e8e141b2748a2fdca3bb48af7016f691eb72292db3acaea35ace
Opcode Fuzzy Hash: 2f70e9ff4b0f45372b7b7d0c49b56a6235a59c70fdcbe11ed11d0b52d30a89f5
Instruction Fuzzy Hash: 2B21C2B1D0851D8FEB54EB98E4956ECBBB1FF58341F50007AD40AE72D2CB396981CB14

Function 00007FF848F23440 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193f7c03a2b8b57be8eebc64ccf7ce0fa919746308fc05f1c6a6bb4f66486ab1
Instruction ID: 4e7b5d4495db1657844050b7c9ebc73017ed19e6ceafd8282c0474543f551a81
Opcode Fuzzy Hash: 193f7c03a2b8b57be8eebc64ccf7ce0fa919746308fc05f1c6a6bb4f66486ab1
Instruction Fuzzy Hash: FF217F7084D7CA8FD743AB7488586A97FF0EF0A350F0904FBD444CB0A3DA699459C722

Function 00007FF848F20A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dca28e5267101f555314faffcc876ad3afb08b38b15a59ff6b13b7b2602e554
Instruction ID: e0ed87d32097683e5740e5120cbb3800bf8d36177bac3092be5f45bd0b7912a8
Opcode Fuzzy Hash: 3dca28e5267101f555314faffcc876ad3afb08b38b15a59ff6b13b7b2602e554
Instruction Fuzzy Hash: 4A115B32D0854E9FE780FB68D8492B97BE0FF98381F8005B6D808C61A6EF39A5448B40

Function 00007FF848F37221 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56d793406d7649a24c1bdecc425d44f3284a9aaeebab3af5bd18bc0bb8ae6ed
Instruction ID: 2afc5b48d7fe8284d7f0e51453c9dbfbb2c238ab6c6d4ad12b276e2e1cc0e07f
Opcode Fuzzy Hash: c56d793406d7649a24c1bdecc425d44f3284a9aaeebab3af5bd18bc0bb8ae6ed
Instruction Fuzzy Hash: A8116D30D0CA4E9FEB99EF2884592B97BE0FF69341F0405BBE409D65D2DB35A444CB91

Function 00007FF848F34C85 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be10973fda1b79c21cc8e49a3d27716050572c77c864ead34b54646872841d0
Instruction ID: f88503dc1dc1f37642aa20c81db221af8f0d3f1ab60a38e20c23c63336101ca0
Opcode Fuzzy Hash: 9be10973fda1b79c21cc8e49a3d27716050572c77c864ead34b54646872841d0
Instruction Fuzzy Hash: 63119D3090CA4A9FDB89EF6884592B97BA0FF68341F0401BBD409C61D2DB39A480C741

Function 00007FF848F32951 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29318d095381981d0968c8cb59566344db170810250aab395950e4e450d40371
Instruction ID: 62237744fd5b0a41622aaa66ae1336a5d9c7d0ca831a0d97a70ad98717f4bbcb
Opcode Fuzzy Hash: 29318d095381981d0968c8cb59566344db170810250aab395950e4e450d40371
Instruction Fuzzy Hash: AF11797090968D8FDB48EF18C4A62E97BE1FF58355F1101AEE80AC3281DB34A440CB85

Function 00007FF848F372C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ae2fe3be9f6f82e50be6f81e5fc852718eb786a8914c841fc5c38c1c802937
Instruction ID: ab0f80e32d21098275d350c9c5a80dde0630b109dbb3c926a75093399a4d68c8
Opcode Fuzzy Hash: b7ae2fe3be9f6f82e50be6f81e5fc852718eb786a8914c841fc5c38c1c802937
Instruction Fuzzy Hash: C811BE7080DA4E9FEB99EF28845A2BD7BE0FF68341F0045BBD409C21D2DB35A440C741

Function 00007FF848F37365 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694f529b1b7549ab65cdc2121d55092542b216db29b554d078a14004708407b0
Instruction ID: 718a0e1269ac171eaa70e7d1be6e03684efb1fdb808330bf8f323c6cde6b5a3b
Opcode Fuzzy Hash: 694f529b1b7549ab65cdc2121d55092542b216db29b554d078a14004708407b0
Instruction Fuzzy Hash: D011CE31C0DE8A8FEB59EB6488AA2B87BA0FF16300F0440BFD819C65D2DF296444C756

Function 00007FF848F35125 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf14d5bbf8ddb6d380a222e2e3c3dbde577eb5d1a375c0b12e9d3b3cfe8da70
Instruction ID: 3fb154bab86a53e9e1bc6a0467bb7e14d4d16cda4166b56107542bba2ad87fa9
Opcode Fuzzy Hash: 8cf14d5bbf8ddb6d380a222e2e3c3dbde577eb5d1a375c0b12e9d3b3cfe8da70
Instruction Fuzzy Hash: 4511C131D0DA898FEB5AFB2488AA2B87BA0FF59344F0400BFD00DC65E2DB396444C746

Function 00007FF848F34BE9 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea4334c764cc1753aa00aecc4f129139cec28ca09050eef40f7f8d54874807d
Instruction ID: 3729550f7d9c005de8298501dd4fbc558429e8a7ee08050928730387a2d76306
Opcode Fuzzy Hash: 9ea4334c764cc1753aa00aecc4f129139cec28ca09050eef40f7f8d54874807d
Instruction Fuzzy Hash: 2D21AC3090D68E9FEB89EF6884692B97BA0FF69381F0405BFD409C75D2DB38A480C741

Function 00007FF848F235D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f8e0464315f7448f17e1a210405075201309fc7f25fcd901038f4904684c02
Instruction ID: e043573f1d4a4821864e2c21ac326b64c5b424d21ba076bd224ded093f5b6cfc
Opcode Fuzzy Hash: c2f8e0464315f7448f17e1a210405075201309fc7f25fcd901038f4904684c02
Instruction Fuzzy Hash: 4611707090C64E8FDB44EF2884596BDBBA0FF18341F4004BAD41AC72E1EB36A0408705

Function 00007FF848F35499 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b7b59080151d1b7b6cd4c55f9853a6d2233fd8dd36a274752ee2977efd20c5
Instruction ID: 08497a65770e9433f8a233bedf19b8ec28f85a452166cb2d17a10d1f6da98753
Opcode Fuzzy Hash: c4b7b59080151d1b7b6cd4c55f9853a6d2233fd8dd36a274752ee2977efd20c5
Instruction Fuzzy Hash: A4119D3080DA8A8FEB99EB24C8692B9BBF0FF59301F0404BBD409C71D2DB386454C701

Function 00007FF848F32D61 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e1b634d1c07cb217e0d7884a0b5288fbcbd62acf19b28a9defc6c9f135dce9
Instruction ID: 5c9666b30781f8a91327cab0807f6ffbd39fea82f76a07a86eb203409eb97048
Opcode Fuzzy Hash: d1e1b634d1c07cb217e0d7884a0b5288fbcbd62acf19b28a9defc6c9f135dce9
Instruction Fuzzy Hash: 36116D3081C55E9EEB92FBA8844C6F9BFE4FF59341F0405B6D418C6096EB74A1858745

Function 00007FF848F373FD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe3848f7e4142638760133ea6d02fc749e943b4b7b78fc90dc25e9037380064
Instruction ID: 75db491e24debc68641b5b05406ce226d58b5c32bb8e3dfb4d3bb0740e7758a6
Opcode Fuzzy Hash: ebe3848f7e4142638760133ea6d02fc749e943b4b7b78fc90dc25e9037380064
Instruction Fuzzy Hash: 0F11BC3090DA8A8FEB59EB64C45A2BABFA0FF68341F0401BBD409C61D2DB39B4648741

Function 00007FF848F3524D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7590112dc371189cb186db504fd013ae16fc90c6522ad888acbd97cfe8c9157d
Instruction ID: e5d52c772c47b34d96da9d4c5651c8a4dfb7f85f3e3b8127e3ab6e4c88d1c5b1
Opcode Fuzzy Hash: 7590112dc371189cb186db504fd013ae16fc90c6522ad888acbd97cfe8c9157d
Instruction Fuzzy Hash: 8C118C7080D64A8FEB99EB6488596BDBBE0FF69340F0405BBD409E61D2DB38A580C711

Function 00007FF848F31311 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a61f2c2d371c48734cce4e1b9a0abfbf8be02ff5db47e255d7ef076bad76bd
Instruction ID: 22a1c233367b07a076554b6d8ce4fcc0b5a2f45b22d7bcd7f9e53a26ab6d6ccc
Opcode Fuzzy Hash: c3a61f2c2d371c48734cce4e1b9a0abfbf8be02ff5db47e255d7ef076bad76bd
Instruction Fuzzy Hash: DC113970949A4E9FEB89EB2484592BD7BA0FF28341F5404BBE419C6592EB35A580C704

Function 00007FF848F37941 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e595ea84fab26210e8bc57ef3643a7be42c9c4e46df9116d36fe4e4daedc644a
Instruction ID: 556fbd48f2a58037a286e574d248e9a442c6376f1d74fb1835d36fde6f905493
Opcode Fuzzy Hash: e595ea84fab26210e8bc57ef3643a7be42c9c4e46df9116d36fe4e4daedc644a
Instruction Fuzzy Hash: 53115B3190E94A9FEB51FB78C8486AABBF4FF1A351F0405B7D409C70A2EB38A584C755

Function 00007FF848F36539 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fbcabb11a40fe5986e57fd3a42f4f4dbabe427f943839846d3f4bd3576ad1f
Instruction ID: 8043b0d223824172bf2ecc27d3ac194e0528ebfac4cdd2245522b3b565fabbfe
Opcode Fuzzy Hash: 74fbcabb11a40fe5986e57fd3a42f4f4dbabe427f943839846d3f4bd3576ad1f
Instruction Fuzzy Hash: DF118C3090D68A9FE782FB6888596B9BBE0FF19340F0405F7D408C60A6EB28A584C715

Function 00007FF848F3540D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c5decfb64be7fb9b8e9379810d23edebd8043e987bc48c5e7d34f6d49cfadd
Instruction ID: 2374f04baf64ab3611552c6d6f2e9376a82c33d88f4a950b247c480e6735de67
Opcode Fuzzy Hash: 44c5decfb64be7fb9b8e9379810d23edebd8043e987bc48c5e7d34f6d49cfadd
Instruction Fuzzy Hash: DC119E3080DA8A8FEB49EB24C4696BD7BE0FF58345F4404BBD419C61D2DB38A554C751

Function 00007FF848F2B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40280fa0538f737aff07a9a88f7cdb3696538cdf929e9fab910d9252ff1b332
Instruction ID: 2911e52769640f176d26b153fa3a063c3172040742a08495dcb9f67d7cb4406b
Opcode Fuzzy Hash: a40280fa0538f737aff07a9a88f7cdb3696538cdf929e9fab910d9252ff1b332
Instruction Fuzzy Hash: B8114971C2D55ACEDB59EB64A4557ECBAF0FF18340F1002BAD40DA22C2DB3959848B18

Function 00007FF848F2FF3E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F2F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f2f000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098dd6985391cc81043b52e58a20348feafbc30e0de19ff0f62486f900e7f67c
Instruction ID: 2cfdf10cb90507e4c73a7afaab381bd4089d91c43a02e56c5b02a5444cc3561d
Opcode Fuzzy Hash: 098dd6985391cc81043b52e58a20348feafbc30e0de19ff0f62486f900e7f67c
Instruction Fuzzy Hash: F711E770D18A698FDBA8EF289C597AAB7B1FB14642F4002FAC00DE3281DE3559858F00

Function 00007FF848F3266A Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd7912c7e4b200dcdcc003ed01d9babc11b9141ec5b5c8e71b5afb515a6c045
Instruction ID: cb7a90268ba480eb837b0a6c383da32443ee857070123abb6bb501368bfe714a
Opcode Fuzzy Hash: 9bd7912c7e4b200dcdcc003ed01d9babc11b9141ec5b5c8e71b5afb515a6c045
Instruction Fuzzy Hash: 33012730A0C50D8FEB58FB94D454AAC77A1FF58352F14063AD009D62C5EE39A8818B04

Function 00007FF848F205D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c8ed7286cd05bece2a74f46ab495d8036bb2db14990423c89800e1f5b4882e
Instruction ID: b0dd37d64d2fddd292ea436819f0e784230d21cb07757098f74ef9607e8073e5
Opcode Fuzzy Hash: d2c8ed7286cd05bece2a74f46ab495d8036bb2db14990423c89800e1f5b4882e
Instruction Fuzzy Hash: 58018C3094854E8FEB48FF64D0586BA77A1FF58345F60047AD40EC21C0CB32B590CB48

Function 00007FF848F37E49 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd61b590df046718c78aa7bb894d02c11b1d64220d332fcfe792c623e2beea1d
Instruction ID: 315f5b251fdb5237e9fcb9b8714a5eb390caedd1326384beb1e0a757492f668c
Opcode Fuzzy Hash: bd61b590df046718c78aa7bb894d02c11b1d64220d332fcfe792c623e2beea1d
Instruction Fuzzy Hash: 1911AD3080D6898FDB59EB28C8582BDBBF0FF1A341F4104BBD419C61D2DB39A944C710

Function 00007FF848F327E1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa08425ee2984136f201d011536b624c65e7ed8102d3dca974838e3396983350
Instruction ID: e2f5c7bdc8b8692f25cbab7877a32ee2b841f85dc78ba80221be8e8a045db9c4
Opcode Fuzzy Hash: fa08425ee2984136f201d011536b624c65e7ed8102d3dca974838e3396983350
Instruction Fuzzy Hash: 9301BC3081D6899FDB99EB64C4596B9BBA0FF19342F6504BFD40AC70D2DB35A540C740

Function 00007FF848F2291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93446d4cb57e2009e52b05943d01d4fd9a7e7411121fad2d7c833fdfc7a088b6
Instruction ID: 4fc4d6954502f62a36340a9b23a87357712269321853ff31dcae06f4a5dca5a2
Opcode Fuzzy Hash: 93446d4cb57e2009e52b05943d01d4fd9a7e7411121fad2d7c833fdfc7a088b6
Instruction Fuzzy Hash: 7B01B831D0C64E8FE781FB6898886B9BBE0FF19340F4509B6D408C70A2EB39E080C705

Function 00007FF848F37AC9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000d3c69eda72d82380bd38913c489fd4df962d7d224c7dcefcab4f5802c919f
Instruction ID: 9b7d79b0f75a54c650a2b748e37c31488b49139e711944ce5e4024b6072e8aa9
Opcode Fuzzy Hash: 000d3c69eda72d82380bd38913c489fd4df962d7d224c7dcefcab4f5802c919f
Instruction Fuzzy Hash: 38017C3094EA8A9FEB52FB3888591B97BE0EF19350F4508B3D409C60A6EB28A5448711

Function 00007FF848F21CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b5181ed492fc7a314885071fe3744340d1a75ace771e35e1826230eddc32b9
Instruction ID: 5975620408b5bcc44a51f9de3cf0cbf08a111fe871670e69673b047fc166de84
Opcode Fuzzy Hash: 31b5181ed492fc7a314885071fe3744340d1a75ace771e35e1826230eddc32b9
Instruction Fuzzy Hash: 2B01A43084D68E8FEB98EF6498552FA7BE0FF55341F50007AE809C61D1DB36E890C788

Function 00007FF848F22FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b96b8fd25c9aa66f38742bbb5ea44a8c34b501d1e31df6e7636abff1f0d49c
Instruction ID: 3b36eb34079a59a3df66b20c005f27b955a1f02ca7c7212536fad6e0de635350
Opcode Fuzzy Hash: c5b96b8fd25c9aa66f38742bbb5ea44a8c34b501d1e31df6e7636abff1f0d49c
Instruction Fuzzy Hash: DC018F3090D6895FE752FB7898995A9BFE0EF59340F0508F3D409C70E6EF39A4448715

Function 00007FF848F344BC Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction ID: 94490fa87b0643ea85b352ff2d2912193c44d271b10d26563c82fd5ea132f89b
Opcode Fuzzy Hash: ffdc458f6a3c201db7d5b10f42a6bc9709223c8d97e742d187d67dfbe608f619
Instruction Fuzzy Hash: BC112A70D09629CFEB50EF94D9442EDB7F1BFA4342F10417AD008E62C1DB386A85DB84

Function 00007FF848F20608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3617434937452697bc53feede512b6bd946765389ddf1a39cfd7bd6104b0656c
Instruction ID: 5de4e1f801473c5a8879741a180ea245032c00813b07c6d2c57134b3a0caa282
Opcode Fuzzy Hash: 3617434937452697bc53feede512b6bd946765389ddf1a39cfd7bd6104b0656c
Instruction Fuzzy Hash: 56016930859A0E9EEB49FFA490582F9B7A0FF18345F20087EE40EC21D1DF36E150C605

Function 00007FF848F20610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931d574d50f7bd86f7e3839d43b441261cfcea0de4651d63ade3fce1e3b2a500
Instruction ID: c4ec1b6e87c67b96b063dbffbbe9754ecd448e9ffaf1cc23c44dbdca779f9290
Opcode Fuzzy Hash: 931d574d50f7bd86f7e3839d43b441261cfcea0de4651d63ade3fce1e3b2a500
Instruction Fuzzy Hash: 8301463091960E9EEB48EBA494592B9B7A0FF18345F6008BEE40AC21D1DF3AA590C604

Function 00007FF848F2B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fe99a967ec5c63c3f5c1b184b13998760a826e387f05ad9216aae01e1ef932
Instruction ID: b47e3276c21750c7bc97ac2e18c53c8046f4887b1c5855436d77bf7f21ace941
Opcode Fuzzy Hash: f5fe99a967ec5c63c3f5c1b184b13998760a826e387f05ad9216aae01e1ef932
Instruction Fuzzy Hash: B5F04F3092C50E9EE752FB78A4495B9BAE0EF18351F4408B2D819D20A2EF75A5848605

Function 00007FF848F205D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bfe6edb113d3414199e33f04bb877f2632d452e5db6629f118c9d66a4e4707
Instruction ID: d9d9726aaa353b4b052c12ae898034d30c8a4e960d2bb96ddf7dca70878a9032
Opcode Fuzzy Hash: 96bfe6edb113d3414199e33f04bb877f2632d452e5db6629f118c9d66a4e4707
Instruction Fuzzy Hash: F8F04F3095D68E8FEB44EF68A4552FA77A4EF55344F50057AE80DC21C1DB36A5A0C788

Function 00007FF848F22F25 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 965f2547eb1b982ddb0462fcf20a88c9f7753f65f13a8f45fdab95450df6a5e4
Instruction ID: aef68724108f57f2f144c702fb8261393570d18c53b59178e7fb6e6f7751a881
Opcode Fuzzy Hash: 965f2547eb1b982ddb0462fcf20a88c9f7753f65f13a8f45fdab95450df6a5e4
Instruction Fuzzy Hash: 74F09A35A0891E8FEF41FBA8D8489FAB3E0FF19340F004A72D82DC3099EB31E5108A45

Function 00007FF848F22839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288a0ff5a7f7c337b981d73dc769bb98790b38032f9023cbed7e25890949d08
Instruction ID: db44abcbedaefb72a56e8ee4150d73597af23308fda54b91511562ba3925c4de
Opcode Fuzzy Hash: 2288a0ff5a7f7c337b981d73dc769bb98790b38032f9023cbed7e25890949d08
Instruction Fuzzy Hash: D6F0C23080E7C98FDB5AAF2098582E97FA0FF16201F4508BBD448C61E2DB39D414C302

Function 00007FF848F22F41 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f988a176aa5e2d40fdd626d2bf0828fb0bf66724ec4f23470938c28b5c6eb25a
Instruction ID: ae8c8a3457f0a19ab323db1dac24c6d842e1575c87d4671865632ad8ae1a674f
Opcode Fuzzy Hash: f988a176aa5e2d40fdd626d2bf0828fb0bf66724ec4f23470938c28b5c6eb25a
Instruction Fuzzy Hash: C6F0E231D1D28A4FE751BB64581A1B9BAA0EF15340F0508BAD808C50C6EB39A0108201

Function 00007FF848F228AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dead69dde311a30ec20c81027525c44bc9ddb4d6775406da492446fcd6518f82
Instruction ID: d868163064730ddb5c33043471f6ffe3c33a328c94ad06c06a643a04fa7e2096
Opcode Fuzzy Hash: dead69dde311a30ec20c81027525c44bc9ddb4d6775406da492446fcd6518f82
Instruction Fuzzy Hash: 41F0903180D68D8FEB59AF6498591FD7BA0FF15301F5018BAE409C21D1DB3994508701

Function 00007FF848F31330 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7bdbe4e59061b82791486aacd9c2de72a27ae6295428247c1f9428f0465c02
Instruction ID: eae623dfc65ac68e9109c3127b3b8a49b0a29efc0c2814a191d43db63f6fc6a6
Opcode Fuzzy Hash: fc7bdbe4e59061b82791486aacd9c2de72a27ae6295428247c1f9428f0465c02
Instruction Fuzzy Hash: 99F0F870918A4E8EEF84EF6898082FE76A4FF28305F40093AE82DD2591EB34A5948744

Function 00007FF848F2B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1d341530179192dae79af86d1eed2042ab1a7a03eb1c077300cf147b69e60
Instruction ID: 5e75e1ea8655686f0d9ec6560fcb12f59678059532fef12b8af88079b5607f61
Opcode Fuzzy Hash: 00c1d341530179192dae79af86d1eed2042ab1a7a03eb1c077300cf147b69e60
Instruction Fuzzy Hash: ADF0823591E3868FD313DB64A8A11F93B709F423A5F1A46F7C449CA0E3EB2D58888355

Function 00007FF848F2B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4126433bc1f23478a49e7ec841df54aa69d309a14f127a3564698c1ab93999
Instruction ID: af8bbb69620fd7b3792f675633b9c26b63f9d614043afdd0a1279c41f0c15d16
Opcode Fuzzy Hash: 5f4126433bc1f23478a49e7ec841df54aa69d309a14f127a3564698c1ab93999
Instruction Fuzzy Hash: 0BE0D83581D107DEE311FB6874E01FA33A0DF403A8F140A37C44C890D3EF5D54840188

Function 00007FF848F20FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f20000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8da5574e984b3efadb52a435491ac2ba8488d2df7b8c71b3facc746e1c6a04b
Instruction ID: 8a8031fd31c513a098824d4376478c58682233156bba4f10c5c46cd0b7e58576
Opcode Fuzzy Hash: f8da5574e984b3efadb52a435491ac2ba8488d2df7b8c71b3facc746e1c6a04b
Instruction Fuzzy Hash: 1AE0EC30D1A51D8EEB90FB18DC51BAEAAB1EF44344F5041B5D00DA32D1CF396D854B58

Function 00007FF848F3589B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F31000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f31000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f686bf5c718d1f63af4221a128636105a5d3468c35f64ddc5c33b35c9f537808
Instruction ID: ffcb92e29b69a5b8d527f95be2159a982d69920f7b59deebfd32e7ea76322465
Opcode Fuzzy Hash: f686bf5c718d1f63af4221a128636105a5d3468c35f64ddc5c33b35c9f537808
Instruction Fuzzy Hash: B2D0C971D19B19CFEB94EB18948D2A8B7E1FB98244F40002BE408C7285DF2154118B05

Non-executed Functions

Function 00007FF848F2FC47 Relevance: 5.0, Strings: 4, Instructions: 30COMMON

Download Yara Rule

Strings

N, xrefs: 00007FF848F2F6D3
O, xrefs: 00007FF848F2FC68
k, xrefs: 00007FF848F2FD44
{, xrefs: 00007FF848F2FC5B

Memory Dump Source

Source File: 0000001B.00000002.2165696336.00007FF848F2F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F2F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_27_2_7ff848f2f000_ctfmon.jbxd

Similarity

API ID:
String ID: N$O$k${
API String ID: 0-2452294744
Opcode ID: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction ID: d31d793348cb4fcce054ba3bb391df1209df8767e1bca84ee635cb9a034c264d
Opcode Fuzzy Hash: 2df8ab21f2853fe227f6e491321592ac119f163a44ed557027807c16a7d03621
Instruction Fuzzy Hash: 9A01F670D1826A8FEB34AF10E8443E9B7B2FB54341F5002E9D80D962C5DB796A80CE48

Analysis Process: ctfmon.exePID: 6784, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F1CD09 Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F1CF39

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: d200cd3629b2a20dc0c9dcbe285cf148b90944bec1e5961150259a43c9c6697c
Instruction ID: 081ec6d8c7aa9124af658d986cd5bdc958eb867453e92d4d1eb288465825637c
Opcode Fuzzy Hash: d200cd3629b2a20dc0c9dcbe285cf148b90944bec1e5961150259a43c9c6697c
Instruction Fuzzy Hash: 5CA19E37A1D6669AE751776DB8051FE77A0EF813B5F040277D28DCA0C3EB1C684682B8

Function 00007FF848F13655 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

N_H, xrefs: 00007FF848F1386E

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: N_H
API String ID: 0-343878021
Opcode ID: b5359a99190e91fb3403ac017817cc66f5a29bd7da3e78daac25ba2ad01d8263
Instruction ID: effc5c93d67e15d4c0940291b716a43db2fc4cc0790ee81f13a33d4b4d88cbfa
Opcode Fuzzy Hash: b5359a99190e91fb3403ac017817cc66f5a29bd7da3e78daac25ba2ad01d8263
Instruction Fuzzy Hash: B191BD71E1D94A8FEB84EB2CD8187ADBBE1FB9A350F50017AC009D76C6DF7828018B45

Function 00007FF848F1CD5D Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF848F1CF39
[wN, xrefs: 00007FF848F1CD5F

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: _$[wN
API String ID: 0-3652764078
Opcode ID: 5a1169b08f7be1a860e6902ef68157fe2ba43c9073174e191ca05b7caf3236d3
Instruction ID: ff18ab0eff51fff48aaa2b19dc15c6a583dbe5b2c2b6ced4fa631091c48f2bbf
Opcode Fuzzy Hash: 5a1169b08f7be1a860e6902ef68157fe2ba43c9073174e191ca05b7caf3236d3
Instruction Fuzzy Hash: A081C137A2D5669AE75177ACB8051FE7760EF813B9F080277D28DCD0C3EB1C684582A8

Function 00007FF848F10CA6 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

xwH, xrefs: 00007FF848F10FC0

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: xwH
API String ID: 0-1949557700
Opcode ID: 8846e74ae49fae8903326f8c85ea0f937c09c0beed8779d8526d6188ed6c4db4
Instruction ID: b40e98541917ac2484b382271750b6a4999e7a7c3cc0e47a90d952e17b8ac19f
Opcode Fuzzy Hash: 8846e74ae49fae8903326f8c85ea0f937c09c0beed8779d8526d6188ed6c4db4
Instruction Fuzzy Hash: 8361D171D0D96A8EE7A8FB2888597ADB3A1FF94350F0042B9C44DD71D2DF386C468B44

Function 00007FF848F1122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F1129D

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 794f4c739acd0d06f0442add8c73e69c49abeafaeaf3ad998224a76187b2fac1
Instruction ID: d9113f894b62dc7ef792793e3b3f4367819e1889fe69086ca00b98a46dbcd596
Opcode Fuzzy Hash: 794f4c739acd0d06f0442add8c73e69c49abeafaeaf3ad998224a76187b2fac1
Instruction Fuzzy Hash: 2311C170D0D69A8FEB99FB68C4592B97BE0FF6A351F0015BED40AC60D2EF256884C710

Function 00007FF848F11240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F1129D

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 825bdfb3cdbbf30c7218bde631a4e679f1d8a192fefcb6b0c4b2b27b6d1d92aa
Instruction ID: bf8a1b1bbd190b4af346dd12ae7717e1178508be104907619dcba681ac3505df
Opcode Fuzzy Hash: 825bdfb3cdbbf30c7218bde631a4e679f1d8a192fefcb6b0c4b2b27b6d1d92aa
Instruction Fuzzy Hash: 78F0FF30D0D69B8EEB98AB6898083FA77E0FF96351F00157AD80DC20C2EF241894C220

Function 00007FF848F11748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3ecace26d0b783c70126bcce11776eb15ffee8cc526e90e077973fa57247dc
Instruction ID: ae88195f39b493d5e3f478466ae1aa64252c93147ee083771000dd3129f9c16c
Opcode Fuzzy Hash: fb3ecace26d0b783c70126bcce11776eb15ffee8cc526e90e077973fa57247dc
Instruction Fuzzy Hash: D381CD31A1CA498FDB98EF1C98516A977E2FF99740F14417AE44DC32C6CF34AC428785

Function 00007FF848F12285 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610551cedd62538fdb7cf32841ca4e71846ef52d29d44f5ebc7979845222c7f4
Instruction ID: 3a3b45a6faa324d20b9223d889d620950ebfefc1399108d04f8bd63d36cb44d8
Opcode Fuzzy Hash: 610551cedd62538fdb7cf32841ca4e71846ef52d29d44f5ebc7979845222c7f4
Instruction Fuzzy Hash: 12816B30C0C62A8EEBA4EBA4C8957ADB7B0FF45340F1041BAD44D962D2DF792E85CB45

Function 00007FF848F11D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bbc274f8236573674732ea6bc4867b225d9b244388eaf4b297b6bbfac0abf5
Instruction ID: c388402c14feb53983ea3c09aea683e9d28d379b7d1ea49082a8083b3e7ba0f9
Opcode Fuzzy Hash: c4bbc274f8236573674732ea6bc4867b225d9b244388eaf4b297b6bbfac0abf5
Instruction Fuzzy Hash: 5851CE31A1CA8A4FDB48EF1888555BA77E2FB98744F14417ED44AC7282CF34EC42C785

Function 00007FF848F1B3E8 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c28e6a509cb14d36d648c00eb957cddb46b4c045f0d4735814500650b5c0bc
Instruction ID: 513acb19e3a83951226d18902f9615b5a203c94bab0a0dfdf5c84521eceb8475
Opcode Fuzzy Hash: 74c28e6a509cb14d36d648c00eb957cddb46b4c045f0d4735814500650b5c0bc
Instruction Fuzzy Hash: A751B172D1D986DFE341BB7898990F9BBE0FF11350F0C41BAC048860D3EE2958568359

Function 00007FF848F13235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2d036d8ace4518f2ea7c14ee71c8bff60bd1d443ce796a845e62c9d53c614c
Instruction ID: 2345216dd67c36edcb8b47da28410e37547c4fdf4afaf9468bf2d0a8a881b552
Opcode Fuzzy Hash: 9d2d036d8ace4518f2ea7c14ee71c8bff60bd1d443ce796a845e62c9d53c614c
Instruction Fuzzy Hash: 96511370D0964E8EEB54EBA8C4986EDBBF1EF58351F10007AD04AE72D2DF386944CB58

Function 00007FF848F12155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea365553a202f6307dc20c4f18c0d21e5522cfc319ae33e94f9ffd459345298
Instruction ID: 357426ddf1819ebb719f5cf71e8295c9c28e5b3afd87fbeb92560088db1e1c96
Opcode Fuzzy Hash: 3ea365553a202f6307dc20c4f18c0d21e5522cfc319ae33e94f9ffd459345298
Instruction Fuzzy Hash: D9411631E0D68A4FE785E7B8985A1B9BBE1EF96380F0445B6D40DC71E2DF38AC418365

Function 00007FF848F1B418 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d1750f12f231bee2adf5469b0732142b1fdf03fa37e66fd9ae5ed6b7cd9a0aa
Instruction ID: 0515f93c2bdc55cede8671c04b818c536b65e8a9d1b73b17786cde28268053ee
Opcode Fuzzy Hash: 5d1750f12f231bee2adf5469b0732142b1fdf03fa37e66fd9ae5ed6b7cd9a0aa
Instruction Fuzzy Hash: D941B672D2D986DFE355AF7858590F9BBE0FF22790F0C40BAC048860D3EF1959268349

Function 00007FF848F1C7C2 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761110d82e7fcc56e3e9615e895a5e4a4036f93fd4dc41f19b1c5aa513e292bc
Instruction ID: 7d1766dba2dc061311b28d3af97f8f7fac5f51d181ae2ad5ba1f93e6029fde86
Opcode Fuzzy Hash: 761110d82e7fcc56e3e9615e895a5e4a4036f93fd4dc41f19b1c5aa513e292bc
Instruction Fuzzy Hash: 3E31A271E1C91D9EEB94EB989895AACBBF1FF98350F50112AD00DE3286DF286C419B44

Function 00007FF848F1C83A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46cc8d4fba98d803812ea69ba55cea2ec68399ec692d0e24640c59b1db757ea5
Instruction ID: 0cd5cd65391e428430a4ce410d690533743349e3d9c62f3f73aae2dea3adbcbb
Opcode Fuzzy Hash: 46cc8d4fba98d803812ea69ba55cea2ec68399ec692d0e24640c59b1db757ea5
Instruction Fuzzy Hash: 8B21A670E1C91D8FEB94FBA89895AACBBF1FF59350F50112AD00DE7286DF246C419B44

Function 00007FF848F1B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c46a513c7dad33ac51554eb3e39a31333f1226e3981784298e235dc986373ed
Instruction ID: fdd5df3b6a06e1fa1d13aef7eadb711f82e8956bc7ef14f1f768eab0b6427a0a
Opcode Fuzzy Hash: 3c46a513c7dad33ac51554eb3e39a31333f1226e3981784298e235dc986373ed
Instruction Fuzzy Hash: DA313571D1865ACFEB58EBA8D8546ECB7F0FF58751F0402BAD009E32D1DB3819848B18

Function 00007FF848F1B0F2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fed9344511e166149f6875dbc187ccc32089557ba6ee70c0346ec825f0304e
Instruction ID: 918ce4bcd97ef48590c2a98f3f1493b2157017b11e1280ed5c316f766d0643c0
Opcode Fuzzy Hash: 84fed9344511e166149f6875dbc187ccc32089557ba6ee70c0346ec825f0304e
Instruction Fuzzy Hash: 4C21D031A0A91A8ED744FBA8E8192FEB7A0FF14355F00057BD00DCA0E2DB29A9448798

Function 00007FF848F13440 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740033f28470a68d0f35caf9ed4b1cd518f8cafc28fa0ee51b2bf7e10c645fd6
Instruction ID: b8d11692c6c6452a952920cecb699eacef7fb499695af9de20fcca49b1615197
Opcode Fuzzy Hash: 740033f28470a68d0f35caf9ed4b1cd518f8cafc28fa0ee51b2bf7e10c645fd6
Instruction Fuzzy Hash: D3218E3084D78A9FD743AB7488586A97FF0EF0A350F0904E6D485C70A2DB2C9858C721

Function 00007FF848F10A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56f321fa7dfc1a5a6f876f9cdcd5c10993e4718c9b7e70cd89d71cb9798a077
Instruction ID: fdf8aa3817340ef4f31d34f2729a53bf5d77b9681ff8b1c0a7ace31f85cc6f23
Opcode Fuzzy Hash: e56f321fa7dfc1a5a6f876f9cdcd5c10993e4718c9b7e70cd89d71cb9798a077
Instruction Fuzzy Hash: 3D116A31D0C55E9EE780FB68D8492BE7BE1FF98380F4405B6D809C6196EF38A9448740

Function 00007FF848F135D1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2ff2b87485634e0fffcd333283c1ba716d5095e9746171976450e17293ab42
Instruction ID: 82a6d6b604b3133470bf8e7346307ba27a3939bd23771138564693d8690c5d5f
Opcode Fuzzy Hash: 2f2ff2b87485634e0fffcd333283c1ba716d5095e9746171976450e17293ab42
Instruction Fuzzy Hash: E2115B7091D64E8FEB98EF68C4596BABBA0FF18341F4404BAD419C72D1EB39A9448B04

Function 00007FF848F1C699 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44b20dbb4e9ed62eb1bfee716764634a4fd747cc1c5fdbe1bd60de48bffb1c7
Instruction ID: 82dc863712f4b883f7c576df62b6356a005afa56b340fb469d4cae36e5040596
Opcode Fuzzy Hash: a44b20dbb4e9ed62eb1bfee716764634a4fd747cc1c5fdbe1bd60de48bffb1c7
Instruction Fuzzy Hash: 5411703080D68D8FEB49FF2488686B97BA0FF19341F0504BAD41DD71D2EB75A954C711

Function 00007FF848F1C225 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6642c1cd742d0ff6c34a57edf38ca220426c49bac49740b808d5026f1dcf85a7
Instruction ID: c34dc7275c7641407296795adb7d158a143aa09d9f7fabdce6730312b42bab08
Opcode Fuzzy Hash: 6642c1cd742d0ff6c34a57edf38ca220426c49bac49740b808d5026f1dcf85a7
Instruction Fuzzy Hash: 3B115E7090D68E8FEB85FB64C8596BD7BE0FF19301F4404BAD419C6191EB75A950C714

Function 00007FF848F1B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716f51d1b14c8d532b1ba3e7df48bb5ed269a34a602e513618c016b0469d9745
Instruction ID: 6f433e628a9ec3aa0a5bad442abca68112f1bd28dd051e753c309aa542a006f1
Opcode Fuzzy Hash: 716f51d1b14c8d532b1ba3e7df48bb5ed269a34a602e513618c016b0469d9745
Instruction Fuzzy Hash: 31115BB1C2C55ACEDB58EB64C4557ECBAF0FF18750F1401BAD009A22C2DB385D848B18

Function 00007FF848F105D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21ccbeb823a18f98a25a51a6239d7a6bc863ed23a7ef119865ac61487983b83
Instruction ID: d69d73ae4ed697b9f66070e9487a9aea678b01f157099fcbf72ac3fac4f6aaab
Opcode Fuzzy Hash: b21ccbeb823a18f98a25a51a6239d7a6bc863ed23a7ef119865ac61487983b83
Instruction Fuzzy Hash: 2C014C3090854E8FEB48EF24C4596BA77A1FF58345F60547AD40EC25D2DB35A991CB44

Function 00007FF848F12F41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cdce26e9d5544c511d61713c8877713d2197fa7a46c91fa120fbb2f49e79cd
Instruction ID: b258eb19c5d85590769e3fe759cb08ad412c1c2f6d0b12c4af04dcd4754c7ba6
Opcode Fuzzy Hash: 75cdce26e9d5544c511d61713c8877713d2197fa7a46c91fa120fbb2f49e79cd
Instruction Fuzzy Hash: 1E01F230E2C68E8FE751FBA4845D2A9BBE0FF19340F0505B6D408C70DAEB34E8408700

Function 00007FF848F1B2D8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ae56613d4a8b227aab017d892eb381fa0168ccdd64a4db9004ceb71a303d1c
Instruction ID: a0bb1110cae7e3c2b2b62c1e550d5ee55e2352d3208786ea21886394cf0ffbd2
Opcode Fuzzy Hash: e4ae56613d4a8b227aab017d892eb381fa0168ccdd64a4db9004ceb71a303d1c
Instruction Fuzzy Hash: 9A015A30918A0E9EEB84FFA4D4582BEB6E1FF28341F10047AD41ED2591DF36A9A0C748

Function 00007FF848F1291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39cba1b59ec52e306deba8fe373f881033c5a5d0af3c72ad02b37407921b1a2
Instruction ID: d7a02e25b8bb43600f43d760878bc445cdacb679e7bb3e3146e4b1c7cc1cbda7
Opcode Fuzzy Hash: b39cba1b59ec52e306deba8fe373f881033c5a5d0af3c72ad02b37407921b1a2
Instruction Fuzzy Hash: 6A017C31D1D64E9FE751FBA888496B97BE0FF59341F8505B6D408C60A2EB34E944C705

Function 00007FF848F12449 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction ID: 674125979532466f090e4eff9ac1ac9a2ef39f486726ecd63a86f4348c86fa35
Opcode Fuzzy Hash: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction Fuzzy Hash: EA11E570D08229CEEB68EF54C885BEDB2B0EF51340F1001BAD44DA62D2DB786E88CF44

Function 00007FF848F11CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e876bdbd2357e8263a6acbf21214d4dd9459de8ca492b11a5f30bb34167236
Instruction ID: 5b16492ce7f51982425ae9a1e5a932531b38fb03509b56faebe2d09b33ca9543
Opcode Fuzzy Hash: 76e876bdbd2357e8263a6acbf21214d4dd9459de8ca492b11a5f30bb34167236
Instruction Fuzzy Hash: 5D01AF3080D68E8FEB99EF2488592FA7BE0FF65341F5014BAE809C25D2DB35D891C784

Function 00007FF848F12FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2263066d88f057fe8688a106a4eccbbbd5a82e2ed6d925e9a0c48ebb67620a8b
Instruction ID: 2fdd85f9c5aed13242cb5395ab45138dccb1305426be514eb4eff46793500ff0
Opcode Fuzzy Hash: 2263066d88f057fe8688a106a4eccbbbd5a82e2ed6d925e9a0c48ebb67620a8b
Instruction Fuzzy Hash: 9501DF3091D6894FE742FBB888995A97FE0EF0A340F0508F3D408C70E6EF38A8448300

Function 00007FF848F10608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc5925ac749f2a054022722584c8f8894febbd4adeb7578ccd382623e13056a
Instruction ID: d639a68b7dc9c7eb9169f7cfb9cb6d2819437ecf080429b6b8f6cb679c51e41b
Opcode Fuzzy Hash: abc5925ac749f2a054022722584c8f8894febbd4adeb7578ccd382623e13056a
Instruction Fuzzy Hash: D4018C30858A4E9EEB49FFA4C0582B977A0FF18355F20087EE40EC21D1DF35A950CB14

Function 00007FF848F10610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac365a4aa6068d54896f84155b7d7ad148b2eceb152f5e4284da35112bccd48
Instruction ID: 9e8ca99e3a8a5b45900187e353c701f2312a1386b0f67384ceb6af646267826d
Opcode Fuzzy Hash: eac365a4aa6068d54896f84155b7d7ad148b2eceb152f5e4284da35112bccd48
Instruction Fuzzy Hash: 2D01693091960E9EEB48FBA484592B9B7A0FF18345F6008BEE40EC21D1DF39A990D714

Function 00007FF848F1B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429f879a4758162e75a65a6fcd5f03fa96b08ccc2d9f9172ba2f42268d5bacec
Instruction ID: f2494cc17b02c8cbb5ca72780a5b117cdc48bb0203769fbf4d3cdcb01e989d80
Opcode Fuzzy Hash: 429f879a4758162e75a65a6fcd5f03fa96b08ccc2d9f9172ba2f42268d5bacec
Instruction Fuzzy Hash: 61F04930D2C60E9EE751FB78944D6B9BAE0EF18741F0808B6E41DD20A2EF74A9888604

Function 00007FF848F105D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63b5cf8c8e7951606bcb9b235ae63067aed789dfbb059a6829bdc3f6c0e2157
Instruction ID: 2892ff7941174ecc42752546ab9edde89e45732ba278aae5bdfd550bc5646afc
Opcode Fuzzy Hash: e63b5cf8c8e7951606bcb9b235ae63067aed789dfbb059a6829bdc3f6c0e2157
Instruction Fuzzy Hash: 2DF0623091D64E8FEB48EF2894552FA77A4EF15344F50147AE80DC25C2DB35A9A0C788

Function 00007FF848F12839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbeb0f5cbd96d9ab92072bd718807010e66d690d1462fd14de0dbb86fc27a679
Instruction ID: 4ec3114958aa7114d81754d156bcafc10c5b4362166811db36606ea84caf0ba5
Opcode Fuzzy Hash: cbeb0f5cbd96d9ab92072bd718807010e66d690d1462fd14de0dbb86fc27a679
Instruction Fuzzy Hash: A1F0AF3080E7C98FDB5AAF6488182B93FA0EF56311F4504BBD408C60E2DB389814C301

Function 00007FF848F128AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be117f221c05f57373a3bba7e60a4c52a047e8fc0db872b7a26028decf41b955
Instruction ID: ea8edfebbd8f7df9e0b12462548e1a4d006d26af8a754098402ff809e7f00859
Opcode Fuzzy Hash: be117f221c05f57373a3bba7e60a4c52a047e8fc0db872b7a26028decf41b955
Instruction Fuzzy Hash: F2F0943180E68E8FEB59EFA488592B93BA0FF15311F5014BAE809C21D2EB39A850D701

Function 00007FF848F1B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1d026ffefd58aa79c132db10821f6d306588c485ed90407cb78a310905076e
Instruction ID: 54a6d308c72f8a3bf6a6bbbe64f84306b37a758e6d081687366d8b0eb7e5b8ac
Opcode Fuzzy Hash: 7a1d026ffefd58aa79c132db10821f6d306588c485ed90407cb78a310905076e
Instruction Fuzzy Hash: 11F0823191E3868FD312DB6498A11F93B709F52795F0A45F7C089CA0E3EB2D98488355

Function 00007FF848F1BE37 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9a074d1e0899ac76c209287c0e352753946201fd809f71d31863f13716fe02
Instruction ID: 6d7394b30d3c1833580e5d5c7239a8d6a5066812cf212aaf1157ac585d28fe33
Opcode Fuzzy Hash: ce9a074d1e0899ac76c209287c0e352753946201fd809f71d31863f13716fe02
Instruction Fuzzy Hash: A1F0C470C1855A8EEBA0FBA8C8453ACB6B0FF48341F4041F6900DE26A2DF742EC08F08

Function 00007FF848F1B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b9f6059f8410eec9c2fc5dbb6dcaae33509d34e3dfbc460bf12d5d80b168e1
Instruction ID: 4e69d1a3df0d0738a8503a081405f6cb83c22d6c9afc14ea456885db51643d50
Opcode Fuzzy Hash: 41b9f6059f8410eec9c2fc5dbb6dcaae33509d34e3dfbc460bf12d5d80b168e1
Instruction Fuzzy Hash: D4E0D83182D107DEE310F768A4E00FA3390DF40398F180637D04C450D3EF5C9844019C

Function 00007FF848F10FD5 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2168163211.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_7ff848f10000_ctfmon.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c04c457eaf7ba7708cbc648dcb56d37bc8c7d0cfdd46f8daffde45cefaf9a26
Instruction ID: 2a26121fa7aaba67627a33da44f58fa41431ece763db6906199d6e7545b58dba
Opcode Fuzzy Hash: 0c04c457eaf7ba7708cbc648dcb56d37bc8c7d0cfdd46f8daffde45cefaf9a26
Instruction Fuzzy Hash: 0ED09E30D094299FEB50F704CC50BAE6A71AF84344F104164D00DA3685CF396E458F58

Analysis Process: lcSuFJtLNWPBXChyfo.exePID: 3348, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F33655 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FF848F3386E

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: 324bd0a676bfe28be23b144d5cd006da0972fc1426430297bd3103213efb671a
Instruction ID: 16994264723fb804e5963c23be2d7542e5e26d36c310ad08310ce036b4792075
Opcode Fuzzy Hash: 324bd0a676bfe28be23b144d5cd006da0972fc1426430297bd3103213efb671a
Instruction Fuzzy Hash: 9591BE71E1D94A8FEB84EB6CE8157ADBFE1FF89350F5001BAC009D72C6DB6828058B55

Function 00007FF848F3122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F3129D

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 15b4c512bbcb11e38c9b6162d377fe35cb7d375ba1acf1beefffd01511fbdc9e
Instruction ID: 95acea6e0aa38ee3c19c3e96c837bff7fb49555f5b1cfb127d6648a4d8617240
Opcode Fuzzy Hash: 15b4c512bbcb11e38c9b6162d377fe35cb7d375ba1acf1beefffd01511fbdc9e
Instruction Fuzzy Hash: 04118F70D0D64E8FEB59EB68C4592B97BE0FF6A351F0005BBE40AD61D2EF29A584C710

Function 00007FF848F31240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F3129D

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 758558c1c84958d61b4e839df4065cf0af6ace08545ead50f0cec29cf5c0fb64
Instruction ID: d3cf586ee7232f5038e35c41edee613674ca39a7859611cdfad747b651495214
Opcode Fuzzy Hash: 758558c1c84958d61b4e839df4065cf0af6ace08545ead50f0cec29cf5c0fb64
Instruction Fuzzy Hash: 6AF0FF30D0D64F8EEB98AB6898083FA77E0FF56251F00027BE809D20D0EF2451908210

Function 00007FF848F3B1F5 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 026705056c82166ba44c28614a6cb133b3b6efbcddb208231b55ffec0575a298
Instruction ID: 68663234de65f0c10ccf33d5c04af28e2e2c623e33c9cf7631fa0f49095be780
Opcode Fuzzy Hash: 026705056c82166ba44c28614a6cb133b3b6efbcddb208231b55ffec0575a298
Instruction Fuzzy Hash: D3D12730D1D65ACFDBA8EB68C4546BDB7B1FF69741F1000BAD40EA3292CB396881CB55

Function 00007FF848F31748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2d98fef70d92e53c307aa7bc65e3c16f336bc36bbf821d54044782c64795d9
Instruction ID: 37d85b791af2bdb57f7d54992a7fcac0dc546d212739cc68ae0866dd118f42e2
Opcode Fuzzy Hash: da2d98fef70d92e53c307aa7bc65e3c16f336bc36bbf821d54044782c64795d9
Instruction Fuzzy Hash: 0E81AC31A0CA498FDB58EF2C98556A977E2FF99744F14417AE44DC32C6CF34AC428785

Function 00007FF848F32285 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a31b7a9a737ca552ff76af349eb1f5a094c244111c38d06dadf3cb338b297c
Instruction ID: d865f88452f6be6e895676e87f6b3f24dd12c7aefb26773d989805a67dd40b0c
Opcode Fuzzy Hash: 84a31b7a9a737ca552ff76af349eb1f5a094c244111c38d06dadf3cb338b297c
Instruction Fuzzy Hash: 41815A30C0C61A8FEBA4EB64C8557A9B7B0FF45341F1041BBC44E962D2DF786A85CB55

Function 00007FF848F31D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c7c9dd09e873251d25150c02a8f6945ed4a54fac31f60d4a14467916e11eae
Instruction ID: 9faf96065ce6683a5b1430ef2b53fd7e86051201d11a67afb4262ad6540a9093
Opcode Fuzzy Hash: 77c7c9dd09e873251d25150c02a8f6945ed4a54fac31f60d4a14467916e11eae
Instruction Fuzzy Hash: 9E51E131A0CA894FDB48EF1888555BA77E2FF99344F14427EE44AC7282CF34E842C785

Function 00007FF848F3B3D0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b5a090549b279d70dde17ce14620aa561e7d42033336303a3f4648cc8bb6ee
Instruction ID: df9a1e928f6f67cea6eaca3c3909d794a5525c6796b829ee607c1414f2c5ea58
Opcode Fuzzy Hash: 44b5a090549b279d70dde17ce14620aa561e7d42033336303a3f4648cc8bb6ee
Instruction Fuzzy Hash: C351D672D2D9869FE341BB7894690F97BE0FF12364F0841B7C088870D3EF2954568359

Function 00007FF848F33235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc332ab89bdcd87c3b636a99df6c0474f9794e71a9a4ae8f1aa7ff0a1862adcb
Instruction ID: 1b3938a0d5f231e48f450a9d3436629ffeefb98e5f96310e6ef09ffb3156dbb0
Opcode Fuzzy Hash: cc332ab89bdcd87c3b636a99df6c0474f9794e71a9a4ae8f1aa7ff0a1862adcb
Instruction Fuzzy Hash: 63510370D0961E8FEB54EBA8D4986EDBBB1EF58351F10407AD009E72D2DF38A944CB54

Function 00007FF848F32155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80a19f03a11acbd045ee46628543da242e0ff9bcbb2df1c7d922731cd5217d2
Instruction ID: 9cc333401690dd909ede8ef36726d7a5ca058e65cb055d8644305cd7fe5ec8a8
Opcode Fuzzy Hash: d80a19f03a11acbd045ee46628543da242e0ff9bcbb2df1c7d922731cd5217d2
Instruction Fuzzy Hash: D6412331E0D68A4FE746FB7898591B8BBE1EF86781F0444BBD40DC71E2DF28A8418365

Function 00007FF848F3B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8030a00e921777733622eb246278f0ba2767d6cdcd9378c5605d2abd7e2ee09
Instruction ID: 4d4bf677f621c2684d272961b901676df84f8fd7384589b2cd2fe38f375237d9
Opcode Fuzzy Hash: c8030a00e921777733622eb246278f0ba2767d6cdcd9378c5605d2abd7e2ee09
Instruction Fuzzy Hash: 6B313871D1865A8FDB58EFA8D8646ECB7F0FF58351F1002BBD009A32D1DB7819448B18

Function 00007FF848F3B0F2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbb8d64b3ff3ed6a18e65ea7a5846b64dea4f6b90f4672b3454872f81850f8f
Instruction ID: 80cf290889b7e7d1592432ec4d8b0db9e4d65a9c07856d27ccd5bf4bf5ba51d7
Opcode Fuzzy Hash: 6dbb8d64b3ff3ed6a18e65ea7a5846b64dea4f6b90f4672b3454872f81850f8f
Instruction Fuzzy Hash: E2210031A0A51E8ED744FBA8E8192FE77A0FF15345F00057BD00DCA0D2DF29A9088798

Function 00007FF848F3330A Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5fe1a1aee2b21fd6268c98f7bc0852d7c55ef8e7bdcfd2f25156a58e6b7369
Instruction ID: 1dd2e952d7eb1ce3907b66ea2e6f996350b914d752c38a2e42b31ea21fcdd452
Opcode Fuzzy Hash: cc5fe1a1aee2b21fd6268c98f7bc0852d7c55ef8e7bdcfd2f25156a58e6b7369
Instruction Fuzzy Hash: CF21CE71D0851D8FEB94EBA8D494AECBBB1FF58341F10407AE009E72D2CB386885CB54

Function 00007FF848F33440 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a641888487fbe3c0421871d8e558f6b7ad22dfc7db7858a5f7953b4e11c078d
Instruction ID: 93045754a99c3c3fb5cf9e68ebe2f081d8bcbd7dce3594fdfe5eecf76be892e1
Opcode Fuzzy Hash: 9a641888487fbe3c0421871d8e558f6b7ad22dfc7db7858a5f7953b4e11c078d
Instruction Fuzzy Hash: FD216D3084D78A9FD743EB7488586A97FF4EF0A350F0904FBD489C70A2DB68A499C721

Function 00007FF848F30A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7498f383b60b05f69c096ccffbd6b20363d6df83acdc615b6bc0966c1e7ea6
Instruction ID: e1cfa442ef8fb308cc27e11b5dc802948d58ccc2baee5abff4f2072a97bcbc5d
Opcode Fuzzy Hash: 6b7498f383b60b05f69c096ccffbd6b20363d6df83acdc615b6bc0966c1e7ea6
Instruction Fuzzy Hash: B3116A31D0954E9FEB80FB68D8492BD7BE0FF98391F4405B7D809C6192EF38A5448740

Function 00007FF848F335D1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509f0fc14436ebcbe064a7dc1cd1ee61c61307d33e0bb7af10b6e52e47a86897
Instruction ID: afc29e4dc28c8287f66a9912f14859ea8a36af4e41ef4ded28aff44747e4c4d8
Opcode Fuzzy Hash: 509f0fc14436ebcbe064a7dc1cd1ee61c61307d33e0bb7af10b6e52e47a86897
Instruction Fuzzy Hash: 77113970D1D64E8FEB98EF6894596BABBA0FF18341F4405BBD419C72D1EB35A5408B04

Function 00007FF848F3B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d67872291e47d2410ae3a341960590d71cbe657cda77c7d9678eb75871f8a4e
Instruction ID: 2cfb72cc689c8c3c80e9187d1ff0c23275774d1358be49bd0e8dff7226f99fc4
Opcode Fuzzy Hash: 6d67872291e47d2410ae3a341960590d71cbe657cda77c7d9678eb75871f8a4e
Instruction Fuzzy Hash: D3112B71D1D65A8EDB59EB68D4657EDBBF0FF18340F1401BBD00DA22C2DB3859848B18

Function 00007FF848F305D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f187b923c6c012351828e5523e4349757f5f29b7376105a9fbd46053ac829f
Instruction ID: a83444d68cb4f1fc7725fe99f7b56ef282bcc27e9346944f718df7496fc4a692
Opcode Fuzzy Hash: c7f187b923c6c012351828e5523e4349757f5f29b7376105a9fbd46053ac829f
Instruction Fuzzy Hash: 5F014C3090854E8FEB88EF24C4596BAB7A1FF59385F60447AE40EC21D1CF35A591CB44

Function 00007FF848F32F41 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb927fa9aec80f53ac2f1a58251ca411d3c3a84755fd9f5af3274871f7c2e8e
Instruction ID: 3dfb05423f83976e47468f4c0601f378af386534e073da782156fe35ddd0cc45
Opcode Fuzzy Hash: 3bb927fa9aec80f53ac2f1a58251ca411d3c3a84755fd9f5af3274871f7c2e8e
Instruction Fuzzy Hash: 9D018F31A1D68A8FE751FB74845D1A9BBE0FF59342F0545B7D808C60D6EB34E1508705

Function 00007FF848F3B2D8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ec667751558ad98148b025702ef7d60456c62911ce95bcaac8592d59380d26
Instruction ID: 5f12c47be8650a262ee828e69ca7178ab462dd028e388368717f918810c0730c
Opcode Fuzzy Hash: 74ec667751558ad98148b025702ef7d60456c62911ce95bcaac8592d59380d26
Instruction Fuzzy Hash: D9011A30918A1E9EEB84FB64C4586BEB6E0FF28745F50057BD41EE2591DF35A590C704

Function 00007FF848F3291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5835620902997a1c6a62864b777e4507e8a9d64f441435c84d01f0120fae14
Instruction ID: 02ea37cc9646bfd794d84f5037d30525d55b94204e792f02c9f78b36858e4ba4
Opcode Fuzzy Hash: 6e5835620902997a1c6a62864b777e4507e8a9d64f441435c84d01f0120fae14
Instruction Fuzzy Hash: D6017831D1E64E9FE792FB6888486B97BE0FF59342F5505B7D408C60A2EB38E584C704

Function 00007FF848F32449 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction ID: 1ee8c893534fc6cb08f594f281204a4a8b388ac75069b1a096bc4cbb80d49d0b
Opcode Fuzzy Hash: ceb1829a2a859bfc97f90603cc9db84e273f915d9c1c860acd02acd41175d7ed
Instruction Fuzzy Hash: 1611E270D08629CEEB68EF54C845BEDB2B0AF51341F1001BBD44EA62D2DB786A98CF44

Function 00007FF848F31CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e741808aad12c10b0cd641ce8e653dd7e92c82249dc258951a7fc5e2e22248d
Instruction ID: 73281a8a8fb43e5fe32362b43a71f0f2cf643ba5a8eeae726a8cc998b6a79393
Opcode Fuzzy Hash: 1e741808aad12c10b0cd641ce8e653dd7e92c82249dc258951a7fc5e2e22248d
Instruction Fuzzy Hash: 07018C3080D68E8FEB99EF2488592FA7BA1EF55341F5404BAE809C21D2DB399891C784

Function 00007FF848F32FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742660c094359b6b52eb0dfba6d58eb4b0554791598eaf0fce9045202fcaa291
Instruction ID: 58a82b63061221977a1ea28361d774a3324b0cd267900b1fd4923dbefb94a874
Opcode Fuzzy Hash: 742660c094359b6b52eb0dfba6d58eb4b0554791598eaf0fce9045202fcaa291
Instruction Fuzzy Hash: 25018F3090D6895FE752FB7888995A97FE0EF59341F0508F3D409C70E6EF38A4448711

Function 00007FF848F30608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00737e83161bfbacb4d4fe31cfa45fc30c9b3140fcc3a68a84923cc26eac8444
Instruction ID: bc4a71d049376d2fc9ef119b4915db7fd6e423801752e306452555c9429279d5
Opcode Fuzzy Hash: 00737e83161bfbacb4d4fe31cfa45fc30c9b3140fcc3a68a84923cc26eac8444
Instruction Fuzzy Hash: E9016930859A0E9EEB49FFA480582BD77A0FF18346F20087FE40EC21D1DF35A150C604

Function 00007FF848F30610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cd449ec85744b7b86454a84c99748a76ee5eca2a918cbb784d5b0237d1f1dd
Instruction ID: 5a852ba3245552c4f25c1100f3a5b40a787e730730d05bbee9ab261e34531e06
Opcode Fuzzy Hash: a9cd449ec85744b7b86454a84c99748a76ee5eca2a918cbb784d5b0237d1f1dd
Instruction Fuzzy Hash: 6601193091960E9EEB59FBA484596B9B7A0FF18346F6048BFE40EC21D1DF39A590C714

Function 00007FF848F3B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0b4b579b2da2e87ea594d9a14ac7cfcc666e06c9cd3e3315566d1172c0b5e9
Instruction ID: 2549aec7723b1b361d492ed3324f715b0d82078b1073ac0467aeeaaba5725352
Opcode Fuzzy Hash: 1c0b4b579b2da2e87ea594d9a14ac7cfcc666e06c9cd3e3315566d1172c0b5e9
Instruction Fuzzy Hash: D6F0497092C60E9EE751FB7894996B9BAE0EF18341F0448B3E419D20A2EF74A1888604

Function 00007FF848F305D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e49485cf8e6466e1e70d8af557b3c75573d2ff488c74ea4297cc99f51f438f90
Instruction ID: 0b156ff4aa42bf9dd4727050f6b0f88b544bca9ef6fd87782ec38d9d3a924edd
Opcode Fuzzy Hash: e49485cf8e6466e1e70d8af557b3c75573d2ff488c74ea4297cc99f51f438f90
Instruction Fuzzy Hash: 70F0493091D68E8FEB84EF2894552FA77A4EF15388F50047AF80DC21C1DB39A5A0CB88

Function 00007FF848F32839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59075e258718c8c708dd5bf8d9a8a6a210903c0baf9fcd3dbda61866a896de63
Instruction ID: 0055939585a23163f8264601680158242f760af037537eaba84ac7147d6134fe
Opcode Fuzzy Hash: 59075e258718c8c708dd5bf8d9a8a6a210903c0baf9fcd3dbda61866a896de63
Instruction Fuzzy Hash: E9F0C23080E7C98FDB5AAF2488182B93FA0EF16302F0504BBD448C60E2DB389414C301

Function 00007FF848F328AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d8634d87322b50cd5a73f71bfcc1128ada372b498cf55b817e3d9f2d9c6cf7c
Instruction ID: e5796d68f31c6b7b5431bd1a847ae98f997beea3bff003150812f361c0a75889
Opcode Fuzzy Hash: 9d8634d87322b50cd5a73f71bfcc1128ada372b498cf55b817e3d9f2d9c6cf7c
Instruction Fuzzy Hash: BBF09A3180E78E8FEB59AF6488592B93BA0FF15302F5014BBE809C21D2EB38A450C700

Function 00007FF848F3B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286452f886519615ceb00a560c436088299d3214fb8bd5b59673cdd765678ca8
Instruction ID: cd894d3fc387cbf8f37050dd3f812fe18ed819b177ec441b53ae9c0f339ae1c4
Opcode Fuzzy Hash: 286452f886519615ceb00a560c436088299d3214fb8bd5b59673cdd765678ca8
Instruction Fuzzy Hash: D4F0827191E3868FD312AB64A9B11F93B709F42295F1A45F7C049CA0F3EB2C58488755

Function 00007FF848F3B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cbee8253b108c79919c92262f500dcc6529648cfcae3d6fbdc2e3fd38963637
Instruction ID: 412c0b444e0f3636b81e48b743ebc3e623f2c9c1b1d666972fe8de542fa704a0
Opcode Fuzzy Hash: 8cbee8253b108c79919c92262f500dcc6529648cfcae3d6fbdc2e3fd38963637
Instruction Fuzzy Hash: 76E0DF3292E2079EE310FB68B4F11FE33A0DF40298F144A37C04C890E3EF6CA0880188

Function 00007FF848F30FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.2166098557.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_7ff848f30000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868043598aad4c544912057ea320872b140de967eb3b3748a7fd39c9206af099
Instruction ID: e34992ad794fe2342093f96ebdc9e01b58465aa741151b0df42e804eaa1af356
Opcode Fuzzy Hash: 868043598aad4c544912057ea320872b140de967eb3b3748a7fd39c9206af099
Instruction Fuzzy Hash: 06E0EC30D1A5194FEB90FB14CC40BAEAAB1FF44344F5041B6D40DA32C1CF386D854B58

Analysis Process: lcSuFJtLNWPBXChyfo.exePID: 764, Parent PID: 1068COMMON

Executed Functions

Function 00007FF848F23655 Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

M_H, xrefs: 00007FF848F2386E

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: M_H
API String ID: 0-372873180
Opcode ID: c55f5d940e902450d5ad451d154082a68463bcdd4343353274c02271d2eba10c
Instruction ID: d5175ff905dfe4ce1b5ecd5badbebabf448ed0b6e172efc6ca128268f2824d1c
Opcode Fuzzy Hash: c55f5d940e902450d5ad451d154082a68463bcdd4343353274c02271d2eba10c
Instruction Fuzzy Hash: F891ADB1D1D94E8FEB84EB2CE8187A9BFE1FF99350F5401BAC009D72D6DB6918058B05

Function 00007FF848F2122D Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F2129D

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 1592041d27419281674b47473bd7236741ca6c3bab96d4b6bb79dd974747e6da
Instruction ID: df0e6b61140f6015e1c4253b8882ea2726eb36918d8958fcbe573ba3125d6449
Opcode Fuzzy Hash: 1592041d27419281674b47473bd7236741ca6c3bab96d4b6bb79dd974747e6da
Instruction Fuzzy Hash: 0E11B270D0D64A8FEB59EBA894592B97BE0FF59351F0001BAE409C60D1EF266484C714

Function 00007FF848F21240 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

PyH, xrefs: 00007FF848F2129D

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID: PyH
API String ID: 0-553442046
Opcode ID: 369bc3f4ba6055f42d87a26d67f1447a5788a501d8bc9af4729cbe0395e786c9
Instruction ID: 2d620bf0c82ad26064b15cf490c5b1e1bace7c78caf7c9f06d4c65fee9bb8194
Opcode Fuzzy Hash: 369bc3f4ba6055f42d87a26d67f1447a5788a501d8bc9af4729cbe0395e786c9
Instruction Fuzzy Hash: 3FF0FF70D0D65B8EEB98ABA8A8183FA77E4FF56351F00017AE809C20C0EF2421948268

Function 00007FF848F21748 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09cd60e9723253e26b9fe33b13b8328af2a29282779a27f5446243a8138b1ea
Instruction ID: e9035efbc0e1769844ce0b4ebf5a2d75c00d77d0181b2a8ace3b753b25df813d
Opcode Fuzzy Hash: f09cd60e9723253e26b9fe33b13b8328af2a29282779a27f5446243a8138b1ea
Instruction Fuzzy Hash: C181ED31A0CA498FDB58EF5CA8516B977E2FF98340F14017AD45DC32C6CF35A8428789

Function 00007FF848F205B8 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b01ba4f7ce51e3d08254f215405cfbdb1469eb1a00b43ecb838930fbf532a34
Instruction ID: 29effab0e0073fa8cde228a6fcc83e187b4ece1d3aaec3c19cc36229ffca7aef
Opcode Fuzzy Hash: 3b01ba4f7ce51e3d08254f215405cfbdb1469eb1a00b43ecb838930fbf532a34
Instruction Fuzzy Hash: 9251F123D0F5D65EE252B37878551F67FA0EF922A4F0842B7D488CA0D3DE1D644A8399

Function 00007FF848F21D3D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4384dc1affd54a89669b917a3d762898a433c80d1e26092a5e3d2d48a517a8f2
Instruction ID: bee04baa91c9612344252f0390342faea53ade4a456d6abe8077a6ccf44c8a83
Opcode Fuzzy Hash: 4384dc1affd54a89669b917a3d762898a433c80d1e26092a5e3d2d48a517a8f2
Instruction Fuzzy Hash: 9551F131A0CA998FDB48DF5898655BA73E2FF98340F14427ED45AC7286CF35E842C785

Function 00007FF848F2B3D0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0f29257bb3a0f287e04f24f9aa2f5a0d164f1b586ecd0e15042ef348176e74
Instruction ID: 22af509786397b79936f5cd091aad2a6d8d97d50cf5d8a7906a97044363259d9
Opcode Fuzzy Hash: 1d0f29257bb3a0f287e04f24f9aa2f5a0d164f1b586ecd0e15042ef348176e74
Instruction Fuzzy Hash: 5251E572D1D986DFE341BB7868594F9BBE0FF12354F0841B6C4888B0D3EE2A6456C359

Function 00007FF848F23235 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4042b6495ef94aed7aa76bda9a71a6805f45bfcda51efc2f4e673052567a35
Instruction ID: 66ddaffad376e1a656df8b173c9f4435e375e62e3fca2164d39acd1cb958e813
Opcode Fuzzy Hash: db4042b6495ef94aed7aa76bda9a71a6805f45bfcda51efc2f4e673052567a35
Instruction Fuzzy Hash: 075126B0D0C60D8FEB54EBA8E4956EDBBB1EF58350F10007AD009E72E2DB39A944CB55

Function 00007FF848F22155 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfa4dde76acd571a91d38206cdf00ba975f21e15a8795882ef0d0d8db8cebbe
Instruction ID: aa45e9a957e7f897335d3a540a81ad65430b35d664d0eca8ee94e7756916f3f8
Opcode Fuzzy Hash: 7bfa4dde76acd571a91d38206cdf00ba975f21e15a8795882ef0d0d8db8cebbe
Instruction Fuzzy Hash: A0412631E0D64A4FE745EB78A8565B9BBE1FF46380F0448B6D40DC71E2DF39A8418365

Function 00007FF848F20805 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ea20559d1205a6a796a5dce6254af3a41bc2fc490d45e79d219f1203efc1a0
Instruction ID: c300017f0bde70c8c963c32053681774703be3d399282c2b860983b2117df210
Opcode Fuzzy Hash: e4ea20559d1205a6a796a5dce6254af3a41bc2fc490d45e79d219f1203efc1a0
Instruction Fuzzy Hash: C7212573D0E6869BE3547778B8591EA7BD0FF91394F184073D448C90C3EE1AA0568295

Function 00007FF848F2B73F Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861224320db8ecdba809833eb3ea279827df113f7e5dda8450a2df2b30a68911
Instruction ID: 072f87938e68a556c3901f59ce0dcc78a8260ecd0fa1bd757dcddd676d99f7e5
Opcode Fuzzy Hash: 861224320db8ecdba809833eb3ea279827df113f7e5dda8450a2df2b30a68911
Instruction Fuzzy Hash: 76313871D1965ACFEB58EF98E8546ECB7F0FF58351F0002BAD409A32D1DB3919848B18

Function 00007FF848F2B0F2 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602d619cbd705a24a602c044d380bec63b14cceea7fbed286aa0bbca49c593b1
Instruction ID: 57a26f3158ee01131b82e2e57281434150f8ac7424e39458e40f39860cacfa2a
Opcode Fuzzy Hash: 602d619cbd705a24a602c044d380bec63b14cceea7fbed286aa0bbca49c593b1
Instruction Fuzzy Hash: 9721D031A1A51E9ED744FBA8E8192FE77A0FF05355F00067BD00DCA0D2DF29A944C798

Function 00007FF848F23440 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 193f7c03a2b8b57be8eebc64ccf7ce0fa919746308fc05f1c6a6bb4f66486ab1
Instruction ID: 4e7b5d4495db1657844050b7c9ebc73017ed19e6ceafd8282c0474543f551a81
Opcode Fuzzy Hash: 193f7c03a2b8b57be8eebc64ccf7ce0fa919746308fc05f1c6a6bb4f66486ab1
Instruction Fuzzy Hash: FF217F7084D7CA8FD743AB7488586A97FF0EF0A350F0904FBD444CB0A3DA699459C722

Function 00007FF848F20A01 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8bd0de35b236bd07288e2408973a0e6a738590139b6e6cf38862152bc3ed76
Instruction ID: 4e506032800d475e06f9107dcfda6f8ee1bc29cdacf5fe1c746293e75225adc8
Opcode Fuzzy Hash: 7e8bd0de35b236bd07288e2408973a0e6a738590139b6e6cf38862152bc3ed76
Instruction Fuzzy Hash: 8C115B32D0854E9FE780FB68D8492B97BA0FF98380F8405B6D808C6196EF39A5448B40

Function 00007FF848F235D1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f8e0464315f7448f17e1a210405075201309fc7f25fcd901038f4904684c02
Instruction ID: e043573f1d4a4821864e2c21ac326b64c5b424d21ba076bd224ded093f5b6cfc
Opcode Fuzzy Hash: c2f8e0464315f7448f17e1a210405075201309fc7f25fcd901038f4904684c02
Instruction Fuzzy Hash: 4611707090C64E8FDB44EF2884596BDBBA0FF18341F4004BAD41AC72E1EB36A0408705

Function 00007FF848F2B7AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40280fa0538f737aff07a9a88f7cdb3696538cdf929e9fab910d9252ff1b332
Instruction ID: 2911e52769640f176d26b153fa3a063c3172040742a08495dcb9f67d7cb4406b
Opcode Fuzzy Hash: a40280fa0538f737aff07a9a88f7cdb3696538cdf929e9fab910d9252ff1b332
Instruction Fuzzy Hash: B8114971C2D55ACEDB59EB64A4557ECBAF0FF18340F1002BAD40DA22C2DB3959848B18

Function 00007FF848F2B225 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd3f6dc443938ca13bd5ed0f308254927c51bdf73abfaa0ef8f0ce513eca9cb
Instruction ID: f9201a0a85d6a8927c9e8054f2d78579b3a1977613515f292130380fe84628de
Opcode Fuzzy Hash: 9dd3f6dc443938ca13bd5ed0f308254927c51bdf73abfaa0ef8f0ce513eca9cb
Instruction Fuzzy Hash: 5A115E70D0860E8FEB84EF68D4486FEB7A1FF98341F244976E419C2195DB34A195CB84

Function 00007FF848F205D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c8ed7286cd05bece2a74f46ab495d8036bb2db14990423c89800e1f5b4882e
Instruction ID: b0dd37d64d2fddd292ea436819f0e784230d21cb07757098f74ef9607e8073e5
Opcode Fuzzy Hash: d2c8ed7286cd05bece2a74f46ab495d8036bb2db14990423c89800e1f5b4882e
Instruction Fuzzy Hash: 58018C3094854E8FEB48FF64D0586BA77A1FF58345F60047AD40EC21C0CB32B590CB48

Function 00007FF848F20B15 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69271b50fdf179fd5e49cdf85c1fdc339554461c196ae7fc6fb241ae874a853
Instruction ID: 0124983995fcba37cfe1af4b82d1958c23b18405ebff43cc1164dd34f19ec1b1
Opcode Fuzzy Hash: c69271b50fdf179fd5e49cdf85c1fdc339554461c196ae7fc6fb241ae874a853
Instruction Fuzzy Hash: 69019E32D1D64A8FEB51FB2498595A97BE0FF99341F4505BAD808C70E2EB35A4408B05

Function 00007FF848F2B2D8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b8c3674a9a7b5a0a6dd87c34c37daebb090d772c7e31e378a66d8c106339f05
Instruction ID: d6092ee945aa9758251b67fd9b2d252a8d883edd57663006962da37ef07ed609
Opcode Fuzzy Hash: 1b8c3674a9a7b5a0a6dd87c34c37daebb090d772c7e31e378a66d8c106339f05
Instruction Fuzzy Hash: DC011A30918A0E9EEB84FB64C4586FEB6E0FF28345F50087AE41ED25D1DF35A590C704

Function 00007FF848F2291D Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93446d4cb57e2009e52b05943d01d4fd9a7e7411121fad2d7c833fdfc7a088b6
Instruction ID: 4fc4d6954502f62a36340a9b23a87357712269321853ff31dcae06f4a5dca5a2
Opcode Fuzzy Hash: 93446d4cb57e2009e52b05943d01d4fd9a7e7411121fad2d7c833fdfc7a088b6
Instruction Fuzzy Hash: 7B01B831D0C64E8FE781FB6898886B9BBE0FF19340F4509B6D408C70A2EB39E080C705

Function 00007FF848F21CBD Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b5181ed492fc7a314885071fe3744340d1a75ace771e35e1826230eddc32b9
Instruction ID: 5975620408b5bcc44a51f9de3cf0cbf08a111fe871670e69673b047fc166de84
Opcode Fuzzy Hash: 31b5181ed492fc7a314885071fe3744340d1a75ace771e35e1826230eddc32b9
Instruction Fuzzy Hash: 2B01A43084D68E8FEB98EF6498552FA7BE0FF55341F50007AE809C61D1DB36E890C788

Function 00007FF848F22FB9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b96b8fd25c9aa66f38742bbb5ea44a8c34b501d1e31df6e7636abff1f0d49c
Instruction ID: 3b36eb34079a59a3df66b20c005f27b955a1f02ca7c7212536fad6e0de635350
Opcode Fuzzy Hash: c5b96b8fd25c9aa66f38742bbb5ea44a8c34b501d1e31df6e7636abff1f0d49c
Instruction Fuzzy Hash: DC018F3090D6895FE752FB7898995A9BFE0EF59340F0508F3D409C70E6EF39A4448715

Function 00007FF848F20608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3617434937452697bc53feede512b6bd946765389ddf1a39cfd7bd6104b0656c
Instruction ID: 5de4e1f801473c5a8879741a180ea245032c00813b07c6d2c57134b3a0caa282
Opcode Fuzzy Hash: 3617434937452697bc53feede512b6bd946765389ddf1a39cfd7bd6104b0656c
Instruction Fuzzy Hash: 56016930859A0E9EEB49FFA490582F9B7A0FF18345F20087EE40EC21D1DF36E150C605

Function 00007FF848F20610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931d574d50f7bd86f7e3839d43b441261cfcea0de4651d63ade3fce1e3b2a500
Instruction ID: c4ec1b6e87c67b96b063dbffbbe9754ecd448e9ffaf1cc23c44dbdca779f9290
Opcode Fuzzy Hash: 931d574d50f7bd86f7e3839d43b441261cfcea0de4651d63ade3fce1e3b2a500
Instruction Fuzzy Hash: 8301463091960E9EEB48EBA494592B9B7A0FF18345F6008BEE40AC21D1DF3AA590C604

Function 00007FF848F2B04A Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fe99a967ec5c63c3f5c1b184b13998760a826e387f05ad9216aae01e1ef932
Instruction ID: b47e3276c21750c7bc97ac2e18c53c8046f4887b1c5855436d77bf7f21ace941
Opcode Fuzzy Hash: f5fe99a967ec5c63c3f5c1b184b13998760a826e387f05ad9216aae01e1ef932
Instruction Fuzzy Hash: B5F04F3092C50E9EE752FB78A4495B9BAE0EF18351F4408B2D819D20A2EF75A5848605

Function 00007FF848F205D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bfe6edb113d3414199e33f04bb877f2632d452e5db6629f118c9d66a4e4707
Instruction ID: d9d9726aaa353b4b052c12ae898034d30c8a4e960d2bb96ddf7dca70878a9032
Opcode Fuzzy Hash: 96bfe6edb113d3414199e33f04bb877f2632d452e5db6629f118c9d66a4e4707
Instruction Fuzzy Hash: F8F04F3095D68E8FEB44EF68A4552FA77A4EF55344F50057AE80DC21C1DB36A5A0C788

Function 00007FF848F22839 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288a0ff5a7f7c337b981d73dc769bb98790b38032f9023cbed7e25890949d08
Instruction ID: db44abcbedaefb72a56e8ee4150d73597af23308fda54b91511562ba3925c4de
Opcode Fuzzy Hash: 2288a0ff5a7f7c337b981d73dc769bb98790b38032f9023cbed7e25890949d08
Instruction Fuzzy Hash: D6F0C23080E7C98FDB5AAF2098582E97FA0FF16201F4508BBD448C61E2DB39D414C302

Function 00007FF848F228AD Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dead69dde311a30ec20c81027525c44bc9ddb4d6775406da492446fcd6518f82
Instruction ID: d868163064730ddb5c33043471f6ffe3c33a328c94ad06c06a643a04fa7e2096
Opcode Fuzzy Hash: dead69dde311a30ec20c81027525c44bc9ddb4d6775406da492446fcd6518f82
Instruction Fuzzy Hash: 41F0903180D68D8FEB59AF6498591FD7BA0FF15301F5018BAE409C21D1DB3994508701

Function 00007FF848F2B0A5 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c1d341530179192dae79af86d1eed2042ab1a7a03eb1c077300cf147b69e60
Instruction ID: 5e75e1ea8655686f0d9ec6560fcb12f59678059532fef12b8af88079b5607f61
Opcode Fuzzy Hash: 00c1d341530179192dae79af86d1eed2042ab1a7a03eb1c077300cf147b69e60
Instruction Fuzzy Hash: ADF0823591E3868FD313DB64A8A11F93B709F423A5F1A46F7C449CA0E3EB2D58888355

Function 00007FF848F2BE37 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c26a1580fef4e42eac5d050e77c4c4f2c4e0e39ca5eb14658f7ec6ac408bf7c
Instruction ID: 838399197a55c73b933d6e00b1703d4d8cd0115d127fa2f9adea9094862632dc
Opcode Fuzzy Hash: 4c26a1580fef4e42eac5d050e77c4c4f2c4e0e39ca5eb14658f7ec6ac408bf7c
Instruction Fuzzy Hash: 01F0C970C1855E8EDBA0FB58D8443ACB6B0FF48340F8046FA940DE22A2DF751AC08F08

Function 00007FF848F2B0B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4126433bc1f23478a49e7ec841df54aa69d309a14f127a3564698c1ab93999
Instruction ID: af8bbb69620fd7b3792f675633b9c26b63f9d614043afdd0a1279c41f0c15d16
Opcode Fuzzy Hash: 5f4126433bc1f23478a49e7ec841df54aa69d309a14f127a3564698c1ab93999
Instruction Fuzzy Hash: 0BE0D83581D107DEE311FB6874E01FA33A0DF403A8F140A37C44C890D3EF5D54840188

Function 00007FF848F2045D Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb94cc196a484d345b5b9ae4a4bae8fbc1f41544e04e30fd548ffc19638d3c0
Instruction ID: c097ede5a0affdee2f5ed247c1c0bdf7e239a880f2b9c8877e4794eaf7657fe5
Opcode Fuzzy Hash: feb94cc196a484d345b5b9ae4a4bae8fbc1f41544e04e30fd548ffc19638d3c0
Instruction Fuzzy Hash: D0E0925280F7C19ED313A77868640686FA49E43158B1D84EFC4D48A0E7A50A58598327

Function 00007FF848F20FC9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2165517568.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ff848f20000_lcSuFJtLNWPBXChyfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5336802f9cbda0bc2ca6598b5c471fe821e18d2d26a49892ce8a9fe9e3da462
Instruction ID: 2d0c4824718dffbe482da92443b187f7aafd5a879112301276592afb4f6c8343
Opcode Fuzzy Hash: a5336802f9cbda0bc2ca6598b5c471fe821e18d2d26a49892ce8a9fe9e3da462
Instruction Fuzzy Hash: FDE0E230D1A52D8EEB90FB18DC51BAEAAB1EF84344F5041B5D00DA32D6CF396E858F58

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RlZ57mJ5Ug.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\26c12092da979c

C:\Program Files (x86)\Common Files\ctfmon.exe

C:\Program Files (x86)\Common Files\ctfmon.exe:Zone.Identifier

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\93b40338b961c8

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

C:\Program Files\Reference Assemblies\Microsoft\Framework\5940a34987c991

C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe

C:\Program Files\Reference Assemblies\Microsoft\Framework\dllhost.exe:Zone.Identifier

C:\Program Files\Windows Multimedia Platform\93b40338b961c8

C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe

C:\Program Files\Windows Multimedia Platform\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\93b40338b961c8

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\lcSuFJtLNWPBXChyfo.exe:Zone.Identifier

C:\Recovery\5b884080fd4f94

C:\Recovery\93b40338b961c8

Windows Analysis Report
RlZ57mJ5Ug.exe